CVE-2025-58034
CVE-2025-58034
In short
A flaw in Fortinet FortiWeb allows a logged-in attacker to run unauthorized commands on the server by sending specially crafted requests. This could let them take control of the system and steal or damage data.
Technical detail
OS command injection vulnerability in FortiWeb versions 7.0.0–8.0.1 allows authenticated attackers to execute arbitrary OS commands via improperly sanitized HTTP requests or CLI input. The vulnerability stems from insufficient neutralization of special shell metacharacters, enabling command chaining or substitution attacks that bypass intended access controls.
Summary generated and translated by AI from the official description.
An Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability [CWE-78] vulnerability in Fortinet FortiWeb 8.0.0 through 8.0.1, FortiWeb 7.6.0 through 7.6.5, FortiWeb 7.4.0 through 7.4.10, FortiWeb 7.2.0 through 7.2.11, FortiWeb 7.0.0 through 7.0.11 may allow an authenticated attacker to execute unauthorized code on the underlying system via crafted HTTP requests or CLI commands.
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H/E:F/RL:O/RC:C
Affected products
Fortinet · FortiWebWant to know if your infrastructure is exposed to this?
Talk to TrueHacking →