A second Fortinet FortiWeb zero-day spurs 7-day CISA KEV deadline

A Fortinet FortiWeb zero-day vulnerability has been patched and added to the Known Exploited Vulnerabilities (KEV) catalog by the Cybersecurity and Infrastructure Security Agency (CISA), which has given federal civilian executive branch agencies (FCEB) seven days to resolve the flaw.

The flaw, tracked as CVE-2025-58034, has a high CVSS score of 7.2 and was first disclosed Tuesday by Fortinet with a patch. The vulnerability stems from the improper neutralization of special elements in operating system (OS) commands and could enable an authenticated attacker to execute unauthorized code using crafted HTTP requests or command line interface (CLI) commands, according to Fortinet.

The vulnerability was already exploited in the wild at the time of disclosure and was added to the KEV catalog the same day. CISA imposed a seven-day deadline under Binding Operational Directive (BOD) 22-01 for FCEB agencies to remediate the flaw, citing the likelihood of this type of vulnerability to be targeted, as well as the ongoing exploitation of another Fortinet FortiWeb zero-day disclosed last week.  

CVE-2025-58034 affects versions 8.0.0 through 8.0.1, 7.6.0 through 7.6.5, 7.4.0 through 7.4.10, 7.2.0 through 7.2.11 and 7.0.0 through 7.0.11. The flaw was patched in versions 8.0.2, 7.6.6, 7.4.11, 7.2.12 and 7.0.12. FCEB agencies have until Nov. 25, 2025, to patch.

Fortinet credited Jason McFadyen of Trend Micro’s Trend Research for reporting the vulnerability under responsible disclosure.

The other FortiWeb zero-day noted in CISA’s KEV alert is tracked as CVE-2025-64446 and is a critical path traversal vulnerability with a CVSS score of 9.8. First disclosed Friday, the flaw could enable an attacker to execute administrative commands on a vulnerable system via crafted HTTP or HTTPS requests, Fortinet said.

CVE-2025-64446 was also added to the KEV on Friday with a seven-week deadline, giving agencies until Nov. 21, 2025, to patch.