PT-2026-24236 · Fortinet · Fortiweb

Published

2026-03-10

Updated

2026-03-17

CVE-2025-66178

CVSS v2.0

9.0

High

Vector

AV:N/AC:L/Au:S/C:C/I:C/A:C

Name of the Vulnerable Software and Affected Versions Fortinet FortiWeb versions 8.0.0 through 8.0.1 Fortinet FortiWeb versions 7.6.0 through 7.6.5 Fortinet FortiWeb versions 7.4.0 through 7.4.11 Fortinet FortiWeb versions 7.2.0 through 7.2.12 Fortinet FortiWeb versions 7.0.0 through 7.0.12

Description An improper neutralization of special elements used in an OS command ('OS command injection') exists. This issue may allow an authenticated attacker to execute arbitrary commands via a specially crafted HTTP request.

Recommendations Fortinet FortiWeb version 8.0.0 through 8.0.1 should be updated. Fortinet FortiWeb version 7.6.0 through 7.6.5 should be updated. Fortinet FortiWeb version 7.4.0 through 7.4.11 should be updated. Fortinet FortiWeb version 7.2.0 through 7.2.12 should be updated. Fortinet FortiWeb version 7.0.0 through 7.0.12 should be updated.

Fix

OS Command Injection

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-78

Related Identifiers

BDU:2026-03205

CVE-2025-66178

Affected Products

Fortiweb

PT-2026-24236 · Fortinet · Fortiweb

CVE-2025-66178

Weakness Enumeration

Related Identifiers

Affected Products

References · 7