CVE-2025-58034 CrowdStrike LogScale · LogScale

Detect Fortinet FortiWeb OS Command Injection (CVE-2025-58034) in CrowdStrike LogScale

Detects exploitation of CVE-2025-58034, an OS command injection vulnerability (CWE-78) in Fortinet FortiWeb. This KEV-listed vulnerability allows attackers to inject and execute arbitrary OS commands through FortiWeb's management or inspection interfaces, potentially leading to full appliance compromise, lateral movement, and persistent access to network segmentation points.

MITRE ATT&CK

Tactic
Initial Access Execution Persistence Lateral Movement

LogScale Detection Query

CrowdStrike LogScale (LogScale)
cql 
#event_simpleName=NetworkConnectIP4 OR #event_simpleName=ProcessRollup2
| device_type = "FortiWeb" OR CommandLine = /(?i)(fortiweb|httpsd|wad)/
| (
    RemotePort IN (80, 443, 8080, 8443)
    AND (
      CommandLine = /(\/bin\/sh|\/bin\/bash|cmd\.exe)\ -[ci]/ OR
      CommandLine = /;|&&|\|\||`|\$\(/ OR
      UrlPath = /(%3B|%7C|%26%26|%60|%24%28)/
    )
  )
| groupBy([aid, ComputerName, CommandLine, UrlPath, RemoteAddressIP4], function=count())
| sort(count, order=desc)
critical severity low confidence

CrowdStrike CQL query correlating network connection and process rollup events on FortiWeb-adjacent hosts, hunting for shell command execution patterns consistent with CVE-2025-58034 exploitation.

Data Sources

CrowdStrike Falcon telemetry on FortiWeb-adjacent Linux hosts

Required Tables

NetworkConnectIP4ProcessRollup2

False Positives & Tuning

  • Authorized administrative shell access on systems near FortiWeb appliances
  • Automated monitoring scripts that fork shell processes from web server processes
  • FortiWeb integration agents that spawn child processes for health reporting
  • Development or staging FortiWeb instances with relaxed access controls

Other platforms for CVE-2025-58034

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1FortiWeb Command Injection via URI Path Semicolon Delimiter

    Expected signal: FortiWeb access logs showing HTTP GET request to /cgi-bin/module;id;whoami from test IP. CommonSecurityLog entry with RequestURL containing semicolons.

  2. Test 2FortiWeb Command Injection via URL-Encoded Shell Metacharacters

    Expected signal: FortiWeb logs showing request URL containing %3B sequence. Network proxy or WAF logs showing URL-decoded form with semicolons.

  3. Test 3Simulated Post-Exploitation Shell Spawn from Web Process

    Expected signal: Process execution log showing /bin/bash spawned with parent process www-data or httpsd equivalent. File creation event for /tmp/fortiweb_compromise_marker.txt.

  4. Test 4FortiWeb Management Interface Credential Stuffing and Command Injection Attempt

    Expected signal: FortiWeb authentication log showing POST to management API with injection payload in password field. CommonSecurityLog DeviceAction showing authentication attempt with anomalous credential content.

Last updated: 2026-06-19 Research depth: standard
References (2)

Unlock Pro Content

Get the full detection package for CVE-2025-58034 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Tactic Hubs

TA0001Initial AccessTA0002ExecutionTA0003PersistenceTA0008Lateral Movement

Related Techniques

T1190Exploit Public-Facing ApplicationT1059.004Unix ShellT1053.003Cron

Same Tactic: Initial Access

Popular Detections