CVE-2025-64446 & 58034 - Fortinet FortiWeb RCE in Unsupported Builds

Fortinet FortiWeb vulnerabilities CVE-2025-64446 (path traversal) and CVE-2025-58034 (command injection) affect not only documented versions 7.x and 8.x but also older, unsupported 6.x builds. Both map to MITRE ATT&CK techniques T1190 and T1068. The flaws have been exploited in the wild and are listed in the CISA KEV catalog. Rapid7 discovered that unsupported FortiWeb versions remain vulnerable despite earlier silent patching by Fortinet, which left defenders without guidance. Attackers exploiting these flaws can read sensitive files, inject OS commands, deploy webshells, and pivot deeper into networks through compromised WAF appliances. Since FortiWeb often sits in front of critical web applications, compromise undermines traffic inspection, TLS handling, and protective rules. Business impact includes exposure of application data, infrastructure compromise, and reputational damage due to failed perimeter security. Mitigation requires upgrading or replacing unsupported FortiWeb appliances, monitoring logs for traversal and injection attempts, and restricting access to admin interfaces with MFA and network controls.