Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
7.2
Fortinet FortiWeb: Unauthorized Command Execution via Special HTTP Requests
CVE-2025-66178
Summary
FortiWeb software versions 8.0.0 to 8.0.1, 7.6.0 to 7.6.5, 7.4.0 to 7.4.11, 7.2.0 to 7.2.12, and 7.0.0 to 7.0.12 have a flaw that could allow an attacker to run unauthorized commands on the system by crafting a specific HTTP request. This could potentially allow the attacker to access sensitive data or disrupt system operations. Fortinet should be updated to the latest version to fix this issue.
What to do
No fix is available yet. Check with your software vendor for updates.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| fortinet | fortiweb | > 7.0.0 , <= 7.0.13 | – |
| fortinet | fortiweb | > 7.2.0 , <= 7.2.13 | – |
| fortinet | fortiweb | > 7.4.0 , <= 7.4.12 | – |
| fortinet | fortiweb | > 7.6.0 , <= 7.6.7 | – |
| fortinet | fortiweb | > 8.0.0 , <= 8.0.3 | – |
Original title
A improper neutralization of special elements used in an os command ('os command injection') vulnerability in Fortinet FortiWeb 8.0.0 through 8.0.1, FortiWeb 7.6.0 through 7.6.5, FortiWeb 7.4.0 thr...
Original description
A improper neutralization of special elements used in an os command ('os command injection') vulnerability in Fortinet FortiWeb 8.0.0 through 8.0.1, FortiWeb 7.6.0 through 7.6.5, FortiWeb 7.4.0 through 7.4.11, FortiWeb 7.2.0 through 7.2.12, FortiWeb 7.0.0 through 7.0.12 may allow an authenticated attacked to execute arbitrary commands via a specialy crafted HTTP request.
nvd CVSS3.1
7.2
Vulnerability type
CWE-78
OS Command Injection
Published: 10 Mar 2026 · Updated: 13 Mar 2026 · First seen: 11 Mar 2026