Impact of actively exploited Fortinet FortiWeb flaws more extensive than thought

Older, unsupported Fortinet FortiWeb 6.x instances could also be compromised in attacks exploiting the operating system command injection flaw, tracked as CVE-2025-58034, and the relative path traversal vulnerability, tracked as CVE-2025-64446, which had been confirmed to affect multiple FortiWeb 7.x and 8.x versions, Cybersecurity Dive reports.

In-the-wild abuse of both security issues in FortiWeb 6.x instances has not yet been observed, according to Rapid7 researchers, who have already informed customers regarding the flaws that will also be added to the Cybersecurity and Infrastructure Security Agency's Known Exploited Vulnerabilities catalog. Such a development comes after Fortinet was chastised for providing a silent patch for the issues, which hindered remediation efforts.

"In this case, we saw exploitation in the wild before CVEs were even issued, which is a huge kneecap for defenders. Many of the processes and triage steps that are taken when new vulnerabilities come out rely on those CVE identifiers," said Rapid7 staff security researcher Ryan Emmons.