Fortinet has issued a security advisory for a critical vulnerability in its FortiWeb web application firewall (WAF) product, tracked as CVE-2025-58034. The company has confirmed that this flaw is being actively exploited in targeted attacks.

The vulnerability was initially addressed in software updates released on November 12, 2025, but the corresponding security advisory, PSIRT FG-IR-25-301, was not published until November 19, 2025. During this period, threat intelligence firms reported observing active exploitation attempts against unpatched devices.

Vulnerability Details: CVE-2025-58034

CVE-2025-58034 is a command injection vulnerability found in the management interface of FortiWeb appliances. It has been assigned a CVSS score of 9.8 out of 10.0, reflecting its critical severity. A remote, unauthenticated attacker can exploit this flaw by sending a specially crafted request to the target device.

Successful exploitation allows the attacker to execute arbitrary commands on the underlying operating system with root-level privileges. This grants complete control over the compromised FortiWeb appliance. The affected versions include FortiWeb 7.8.0, 7.6.0 through 7.6.2, and 7.4.0 through 7.4.4.

Active Exploitation and Response

Security researchers have attributed the initial wave of attacks to the threat actor group known as Prophet Spider. The group was observed leveraging the exploit to deploy persistent webshells, exfiltrate device configuration files, and use the compromised WAFs as a foothold to pivot into internal corporate networks.

In response to the confirmed exploitation, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2025-58034 to its Known Exploited Vulnerabilities (KEV) catalog. Fortinet is urging all customers to upgrade to the patched versions immediately. The fixed versions are FortiWeb 7.8.1, 7.6.3, and 7.4.5.