CVE-2025-58034

Fortinet FortiWeb OS Command Injection (CVE-2025-58034)

Initial Access Execution Persistence Lateral Movement Last updated:

Detects exploitation of CVE-2025-58034, an OS command injection vulnerability (CWE-78) in Fortinet FortiWeb. This KEV-listed vulnerability allows attackers to inject and execute arbitrary OS commands through FortiWeb's management or inspection interfaces, potentially leading to full appliance compromise, lateral movement, and persistent access to network segmentation points.

Vulnerability Intelligence

KEV — Known Exploited

Affected Software

Vendor
Fortinet
Product
FortiWeb

Weakness (CWE)

CWE-78

Timeline

Disclosed
November 18, 2025

CVSS

Unscored
Write-up coming soon

What is CVE-2025-58034 Fortinet FortiWeb OS Command Injection (CVE-2025-58034)?

Fortinet FortiWeb OS Command Injection (CVE-2025-58034) (CVE-2025-58034) maps to the Initial Access and Execution and Persistence and Lateral Movement tactics — the adversary is trying to get into your network in MITRE ATT&CK.

This page provides production-ready detection logic for Fortinet FortiWeb OS Command Injection (CVE-2025-58034), covering the data sources and telemetry it touches: CommonSecurityLog, Syslog, AzureActivity. The queries below are rated critical severity at medium confidence, and ship for 7 SIEM platforms — KQL, SPL, Elastic, QRadar, Sumo, YARA-L, LogScale.

MITRE ATT&CK

Tactic
Initial Access Execution Persistence Lateral Movement
Microsoft Sentinel / Defender
kusto 
union isfuzzy=true
(
  CommonSecurityLog
  | where DeviceVendor =~ "Fortinet" and DeviceProduct =~ "FortiWeb"
  | where AdditionalExtensions has_any ("cmd_injection", "os_command", "shell_exec", "command_injection")
      or Message has_any (";", "&&", "||", "`", "$(")
      or RequestURL has_any ("%3B", "%7C", "%26%26", "%60", "%24%28")
  | project TimeGenerated, DeviceVendor, DeviceProduct, SourceIP, DestinationIP, RequestURL, Message, Activity, Severity, AdditionalExtensions
),
(
  Syslog
  | where ProcessName has_any ("httpsd", "wad", "fortiweb")
  | where SyslogMessage has_any ("cmd_injection", "os_command", "command injection", "shell", "execve", "/bin/sh", "/bin/bash")
  | project TimeGenerated, HostName, ProcessName, SyslogMessage
),
(
  AzureActivity
  | where ResourceProviderValue =~ "Microsoft.Network"
  | where OperationNameValue has_any ("FortiWeb", "Fortinet")
  | where ActivityStatusValue =~ "Failed"
)
| extend CVE = "CVE-2025-58034"
| sort by TimeGenerated desc

Hunts for OS command injection exploitation attempts against Fortinet FortiWeb appliances using CommonSecurityLog, Syslog, and AzureActivity tables. Looks for shell metacharacters in URLs and known FortiWeb process anomalies.

critical severity medium confidence

Data Sources

CommonSecurityLog Syslog AzureActivity

Required Tables

CommonSecurityLog Syslog

False Positives

  • Legitimate FortiWeb administrative activity involving shell-like characters in URLs
  • Security scanners or vulnerability assessment tools probing FortiWeb management interfaces
  • URL-encoded characters in normal web traffic passing through FortiWeb inspection
  • FortiWeb health checks or monitoring agents generating similar log patterns

Sigma rule & cross-platform mapping

The detection logic for Fortinet FortiWeb OS Command Injection (CVE-2025-58034) (CVE-2025-58034) above is provided in a vendor-neutral form so you can deploy it on any SIEM. The same logic is shipped here as native KQL (Microsoft Sentinel / Defender), SPL (Splunk), Elastic (Elastic Security (EQL)), QRadar (IBM QRadar (AQL)), Sumo (Sumo Logic CSE), YARA-L (Google Chronicle / SecOps), LogScale (CrowdStrike LogScale (CQL)) queries. In Sigma terms, this detection targets the following logsource: 

logsource:
  product: azure

Browse the community-maintained Sigma rules for this technique:

SigmaHQ rules for CVE-2025-58034 Sigma rules on detection.fyi

Platform-specific guides for CVE-2025-58034

Detect in Microsoft Sentinel (KQL) Detect in Splunk (SPL) Detect in Elastic Security (Elastic) Detect in IBM QRadar (QRadar) Detect in Sumo Logic CSE (Sumo) Detect in Google Chronicle (YARA-L) Detect in CrowdStrike LogScale (LogScale)
Last updated: 2026-06-19 Research depth: standard
References (2)

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1FortiWeb Command Injection via URI Path Semicolon Delimiter

    Expected signal: FortiWeb access logs showing HTTP GET request to /cgi-bin/module;id;whoami from test IP. CommonSecurityLog entry with RequestURL containing semicolons.

  2. Test 2FortiWeb Command Injection via URL-Encoded Shell Metacharacters

    Expected signal: FortiWeb logs showing request URL containing %3B sequence. Network proxy or WAF logs showing URL-decoded form with semicolons.

  3. Test 3Simulated Post-Exploitation Shell Spawn from Web Process

    Expected signal: Process execution log showing /bin/bash spawned with parent process www-data or httpsd equivalent. File creation event for /tmp/fortiweb_compromise_marker.txt.

  4. Test 4FortiWeb Management Interface Credential Stuffing and Command Injection Attempt

    Expected signal: FortiWeb authentication log showing POST to management API with injection payload in password field. CommonSecurityLog DeviceAction showing authentication attempt with anomalous credential content.

Unlock Pro Content

Get the full detection package for CVE-2025-58034 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Tactic Hubs

TA0001Initial AccessTA0002ExecutionTA0003PersistenceTA0008Lateral Movement

Related Techniques

T1190Exploit Public-Facing ApplicationT1059.004Unix ShellT1053.003Cron

Same Tactic: Initial Access

Popular Detections