Detect Fortinet FortiWeb OS Command Injection (CVE-2025-58034) in Microsoft Sentinel
Detects exploitation of CVE-2025-58034, an OS command injection vulnerability (CWE-78) in Fortinet FortiWeb. This KEV-listed vulnerability allows attackers to inject and execute arbitrary OS commands through FortiWeb's management or inspection interfaces, potentially leading to full appliance compromise, lateral movement, and persistent access to network segmentation points.
MITRE ATT&CK
KQL Detection Query
union isfuzzy=true
(
CommonSecurityLog
| where DeviceVendor =~ "Fortinet" and DeviceProduct =~ "FortiWeb"
| where AdditionalExtensions has_any ("cmd_injection", "os_command", "shell_exec", "command_injection")
or Message has_any (";", "&&", "||", "`", "$(")
or RequestURL has_any ("%3B", "%7C", "%26%26", "%60", "%24%28")
| project TimeGenerated, DeviceVendor, DeviceProduct, SourceIP, DestinationIP, RequestURL, Message, Activity, Severity, AdditionalExtensions
),
(
Syslog
| where ProcessName has_any ("httpsd", "wad", "fortiweb")
| where SyslogMessage has_any ("cmd_injection", "os_command", "command injection", "shell", "execve", "/bin/sh", "/bin/bash")
| project TimeGenerated, HostName, ProcessName, SyslogMessage
),
(
AzureActivity
| where ResourceProviderValue =~ "Microsoft.Network"
| where OperationNameValue has_any ("FortiWeb", "Fortinet")
| where ActivityStatusValue =~ "Failed"
)
| extend CVE = "CVE-2025-58034"
| sort by TimeGenerated descHunts for OS command injection exploitation attempts against Fortinet FortiWeb appliances using CommonSecurityLog, Syslog, and AzureActivity tables. Looks for shell metacharacters in URLs and known FortiWeb process anomalies.
Data Sources
Required Tables
False Positives & Tuning
- Legitimate FortiWeb administrative activity involving shell-like characters in URLs
- Security scanners or vulnerability assessment tools probing FortiWeb management interfaces
- URL-encoded characters in normal web traffic passing through FortiWeb inspection
- FortiWeb health checks or monitoring agents generating similar log patterns
Other platforms for CVE-2025-58034
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1FortiWeb Command Injection via URI Path Semicolon Delimiter
Expected signal: FortiWeb access logs showing HTTP GET request to /cgi-bin/module;id;whoami from test IP. CommonSecurityLog entry with RequestURL containing semicolons.
- Test 2FortiWeb Command Injection via URL-Encoded Shell Metacharacters
Expected signal: FortiWeb logs showing request URL containing %3B sequence. Network proxy or WAF logs showing URL-decoded form with semicolons.
- Test 3Simulated Post-Exploitation Shell Spawn from Web Process
Expected signal: Process execution log showing /bin/bash spawned with parent process www-data or httpsd equivalent. File creation event for /tmp/fortiweb_compromise_marker.txt.
- Test 4FortiWeb Management Interface Credential Stuffing and Command Injection Attempt
Expected signal: FortiWeb authentication log showing POST to management API with injection payload in password field. CommonSecurityLog DeviceAction showing authentication attempt with anomalous credential content.
Unlock Pro Content
Get the full detection package for CVE-2025-58034 including response playbook, investigation guide, and atomic red team tests.