(TLP:CLEAR) WaterISAC Advisory – Two Fortinet Vulnerabilities Being Actively Exploited, Utilities Encouraged to Patch Immediately

Summary: ACTION REQUIRED for utilities using Fortinet FortiWeb versions. See mitigation guidance below. Utilities that outsource technology support may need to consult with their service providers for assistance with remediation actions.

This week, Fortinet released security updates to patch a new FortiWeb zero-day vulnerability (CVE-2025-58034) that threat actors are actively exploiting in attacks. Last week, Fortinet confirmed that it silently patched another FortiWeb zero-day vulnerability (CVE-2025-64446) on October 28 that was also under active exploitation.

Analyst Note: Vulnerabilities in Fortinet edge devices are regularly targeted by nation-state affiliated threat actors and other cyber criminals, underscoring the importance of applying the latest vendor patches. For CVE-2025-58034, researchers found that authenticated threat actors can gain code execution by successfully exploiting this OS command injection vulnerability in low-complexity attacks that don’t require user interaction.

“An Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’) vulnerability [CWE-78] in FortiWeb may allow an authenticated attacker to execute unauthorized code on the underlying system via crafted HTTP requests or CLI commands,” Fortinet said in a Tuesday security advisory. The company confirmed it has seen the vulnerability exploited in the wild. The cybersecurity firm Trend Micro has observed attacks in the wild exploiting this vulnerability, with around 2,000 detections as of this writing.

For CVE-2025-64446, a zero-day vulnerability in FortiWeb’s interface could allow an unauthenticated threat actor to execute administrative commands on a system via specially crafted HTTP or HTTPS requests, which could allow them to bypass authentication and create admin accounts.

Cybersecurity company Rapid7 warned that threat actors have been exploiting this critical Fortinet FortiWeb vulnerability since October 2025. Fortinet also confirmed it has observed threat actors exploiting the vulnerability in the wild. Rapid7 tested the latest FortiWeb version 8.0.2 and found that the existing proof-of-concept only works against earlier versions, including version 8.0.1.

On Friday, CISA also added CVE-2025-64446 to its catalog of actively exploited vulnerabilities and ordered U.S. federal agencies to secure their systems by November 21.

FortiAppSec Cloud is NOT impacted by this vulnerability.

To block incoming attacks exploiting these two vulnerabilities, network defenders are encouraged to upgrade their FortiWeb devices to the latest available software that was recently released.

Original Sources:

• https://fortiguard.fortinet.com/psirt/FG-IR-25-513
• https://fortiguard.fortinet.com/psirt/FG-IR-25-910
• https://www.cisa.gov/news-events/alerts/2025/11/14/fortinet-releases-security-advisory-relative-path-traversal-vulnerability-affecting-fortiweb

Additional Reading:

• Fortinet warns of new FortiWeb zero-day exploited in attacks
• CVE-2025-64446: Critical Vulnerability in Fortinet FortiWeb Exploited in the Wild
• When The Impersonation Function Gets Used To Impersonate Users (Fortinet FortiWeb Auth. Bypass CVE-2025-64446)

Mitigation Recommendations:

For CVE-2025-58034:

• The zero-day flaw affects multiple release branches of the FortiWeb software. The vulnerable versions include: 8.0.0 through 8.0.1, 7.6.0 through 7.6.5, 7.4.0 through 7.4.10, 7.2.0 through 7.2.11, and 7.0.0 through 7.0.11. Users running any device within these version ranges may be exposed to active exploitation and should remediate the flaw as soon as possible.
• Upgrade affected devices to the following fixed versions, or later:
  • FortiWeb 8.0: Upgrade to 8.0.2 or above.
  • FortiWeb 7.6: Upgrade to 7.6.6 or above.
  • FortiWeb 7.4: Upgrade to 7.4.11 or above.
  • FortiWeb 7.2: Upgrade to 7.2.12 or above.
  • FortiWeb 7.0: Upgrade to 7.0.12 or above.
• Ensure the FortiWeb management interface (HTTP/HTTPS administrative interface) is strictly limited to internal, trusted networks and is not exposed to the public internet.
• Review all user accounts and logs for any suspicious or unauthorized activity indicative of a compromised administrative session.

For CVE-2025-64446:

• Apply the necessary upgrades listed in Fortinet’s guidance.
• If you cannot immediately upgrade the affected systems, disable HTTP or HTTPS for internet-facing interfaces. Note: Limiting access to HTTP/HTTPS management interfaces to internal networks is a best practice that reduces, but does not eliminate, risk; upgrading the affected systems remains essential and is the only way to fully remediate this vulnerability.
• After upgrading, review configuration and review logs for unexpected modifications or the addition of unauthorized administrator accounts.

Incident Reporting:

WaterISAC encourages any members who have experienced malicious or suspicious activity to email an*****@*******ac.org, call 866-H2O-ISAC, or use the confidential online incident reporting form.

Related WaterISAC PIRs: 6, 7, 10, 12