CVE-2025-66178

CVE Database · CVE-2025-66178

CVE-2025-66178

· HIGHAnalyzed

CVSS v3.1

7.2

EPSS

1.67%

Published

Mar 10, 2026

Modified

Mar 12, 2026

Public PoC / Exploit

All weaponized →

No public PoC or exploit code indexed for this CVE.

Links to public security research (Exploit-DB, Nuclei, Trickest, GitHub) for defensive use only.

Description

A improper neutralization of special elements used in an os command ('os command injection') vulnerability in Fortinet FortiWeb 8.0.0 through 8.0.1, FortiWeb 7.6.0 through 7.6.5, FortiWeb 7.4.0 through 7.4.11, FortiWeb 7.2.0 through 7.2.12, FortiWeb 7.0.0 through 7.0.12 may allow an authenticated attacked to execute arbitrary commands via a specialy crafted HTTP request.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Weaknesses (CWE)

CWE-78

Affected Products (5)

fortinet · fortiweb (up to 7.0.13)vulnerable

fortinet · fortiweb (up to 7.2.13)vulnerable

fortinet · fortiweb (up to 7.4.12)vulnerable

fortinet · fortiweb (up to 7.6.7)vulnerable

fortinet · fortiweb (up to 8.0.3)vulnerable

References (1)

https://fortiguard.fortinet.com/psirt/FG-IR-26-088

Vendor Advisory

KEV Catalog EPSS Scores Vendors All CVEs