According to TheRegister.com, Fortinet has confirmed another zero-day vulnerability in its FortiWeb web application firewall being actively exploited in the wild, just four days after disclosing a separate critical bug in the same product. The new vulnerability, tracked as CVE-2025-58034, is an OS command injection flaw that allows authenticated attackers to execute unauthorized code using crafted HTTP requests or CLI commands. Trend Micro researcher Stephen Hilt reported approximately 2,000 detections of attacks exploiting this flaw so far. The US Cybersecurity and Infrastructure Security Agency added the vulnerability to its Known Exploited Vulnerabilities catalog on Tuesday, giving federal agencies an unusually short 7-day deadline to patch instead of the typical 15-30 days. This comes just days after Fortinet disclosed CVE-2025-64446, a critical path traversal vulnerability that allows unauthenticated attackers to execute administrative commands and take over vulnerable devices.
The likely exploit chain
Here’s the thing that security researchers are noticing: these two vulnerabilities appear to work perfectly together. The first bug, CVE-2025-64446, is an authentication bypass that lets attackers get into systems without credentials. The second, CVE-2025-58034, requires authentication but then lets attackers run system commands. Put them together? Basically, you’ve got a complete attack chain that goes from zero access to full system control. Rapid7’s analysis specifically calls this out, noting “it seems highly likely these two vulnerabilities comprise an exploit chain for unauthenticated remote code execution.” That’s bad news for anyone running vulnerable FortiWeb devices.
The concerning timeline
Now, the timing here is pretty suspicious. Fortinet disclosed these bugs just days apart, and both were actually patched in earlier updates without any disclosure at the time. The company only admitted the first vulnerability was being exploited in the wild after third-party researchers like watchTowr had already been warning about active exploitation for a month. And Fortinet still hasn’t confirmed whether these two issues are related, even though the connection seems pretty obvious to security professionals. When you’re dealing with industrial security systems and critical infrastructure protection, this kind of delayed disclosure can have serious consequences. Companies relying on these firewalls to protect manufacturing systems and industrial networks need immediate, transparent information to secure their operations effectively.
Why the rush to patch
CISA doesn’t usually give federal agencies just seven days to patch vulnerabilities – that’s half their normal 15-day deadline for critical issues. The fact they’re pushing this so aggressively tells you everything you need to know about how dangerous this situation is. As CISA warned, “This type of vulnerability is a frequent attack vector for malicious cyber actors and poses significant risks to the federal enterprise.” And with Trend Micro already detecting around 2,000 exploitation attempts, this isn’t theoretical – attackers are actively using this right now. If you’re responsible for any FortiWeb devices, particularly those protecting critical industrial systems or manufacturing networks, you need to drop everything and apply those patches immediately. The Fortinet security advisory has the details on which versions are affected and how to update.
