CISA adds one known exploited vulnerability to catalog
The Cybersecurity and Infrastructure Security Agency (CISA) has incorporated a new vulnerability affecting Fortinet's FortiWeb Operating System (OS) into its Known Exploited Vulnerabilities (KEV) Catalog. This vulnerability permits command code injection and is currently subject to active exploitation, posing a risk to affected systems.
The identified vulnerability is registered as CVE-2025-58034 and concerns the FortiWeb OS by Fortinet. The security issue involves the potential for command code injection, triggered through specific exploit conditions noted in the advisory. The report distinguishes this vulnerability from others by its active exploitation status and the necessity for accelerated remediation.
The primary consequence of this vulnerability is the ability for unauthorized command execution, which may compromise the confidentiality, integrity, or availability of the targeted system, as explicitly described in the advisory. The advisory notes recent and ongoing exploitation events associated with this vulnerability.
To address the issue, Fortinet has released security updates as part of its advisory related to a relative path traversal vulnerability impacting FortiWeb products. CISA recommends a remediation timeframe of one week, a reduction from standard periods, reflecting the urgency due to active exploitation. This aligns with the directives outlined in CISA's Binding Operational Directive (BOD) 23-02, which provides guidance on minimizing attack surfaces from internet-exposed management interfaces.
CISA's BOD 22-01 establishes the KEV Catalog as a dynamic resource listing CVEs that present considerable risk to federal agencies. Under BOD 22-01, Federal Civilian Executive Branch agencies are mandated to remediate listed vulnerabilities by specified deadlines. Although the directive applies specifically to federal agencies, CISA encourages all organizations to prioritize timely mitigation of vulnerabilities included in the KEV Catalog as part of overall vulnerability management strategies.