“If the patch had mentioned the zero-day vulnerability, organizations may have understood it to be urgent rather than routine and scheduled for the next maintenance window,” agreed Amruth Laxman, founding partner of cloud VoIP provider 4Voice. He believed that transparency about serious flaws was essential for customers to make informed decisions.
Patching advice
Affected versions of FortiWeb include 7.0.0 through 7.0.11, 7.2.0 through 7.2.11, 7.4.0 through 7.4.9, 7.6.0 through 7.6.4, and 8.0.0 through 8.0.1. Fixes are applied, in the same order, by releases 7.0.12, 7.2.12, 7.4.10, 7.6.5, and 8.0.2.
Meanwhile, the widespread use of FortiWeb WAFS in government has prompted a warning by CISA that agencies should patch CVE-2025-58034 within one week, an unusually short timeframe for updating.
