TIRESIS/Forecast/CVE-2025-58034

⚡ CISA KEV — Actively ExploitedCRITICAL RISK

CVE-2025-58034

An Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability [CWE-78] vulnerability in Fortinet FortiWeb 8.0.0 through 8.0.1, FortiWeb 7.6.0 through 7.6.5, FortiWeb 7.4.0 through 7.4.10, FortiWeb 7.2.0 through 7.2.11, FortiWeb 7.0.0 …

SMB Attack Probability Score

83/100critical

Weighted: EPSS · CISA KEV · SMB stack prevalence · exploit maturity · CVSS vector

CVSS v3

7.2

EPSS (30d)

49.74%

SMB Exposure

46/100

Attack Vector

NETWORK

Complexity

LOW

Privileges

HIGH

🔓

SMB Impact

How this vulnerability affects a real small business

1

How this breaks an SMB

Firewall or VPN compromise gives attackers full internal network access — no further credentials needed. All connected systems are immediately at risk.

2

Typical real-world scenario

Automated scanner identifies the exposed appliance. Within hours, lateral movement begins: file servers, domain controller, and backup systems are reached.

3

Estimated downtime & cost

Est. downtime

3–7 days

Business cost range

€15K–€80K

4

What IT should check this week

Is this appliance directly internet-facing?

Is firmware/OS version patched to latest?

Are admin consoles accessible without MFA?

Is network segmentation between IT and OT/servers active?

Scenarios are generated based on software category and CVE characteristics. Cost ranges reflect SMB incidents in TIRESIS incident database.

Threat Evolution Timeline

From disclosure to predicted exploitation — 6 events

◈ 1 predicted

📋

18 Nov 2025

Vulnerability disclosed

CVE published by NVD with CVSS 7.2 (HIGH)

🚨

18 Nov 2025CISA KEV

Added to CISA KEV catalog

CISA confirms active exploitation. Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

⚡

20 Nov 2025

Exploit in the wild

Active exploitation observed — automated scanning and targeted attacks underway

🔬

25 Nov 2025

Proof-of-Concept published

Public PoC code available — exploitation now accessible to non-expert attackers

📍

TODAY

Today

EPSS: 49.7% probability of exploitation in next 30 days. SMB Risk Score: 83/100

Forecast →

🌐

30 May 2026◈ predicted · in 30 days

Predicted: mass exploitation window

Based on EPSS 50% and current exploit maturity — automated scanning campaigns expected at scale.

◈ Predicted eventsare estimates based on EPSS score, exploit maturity, and historical CVE progression patterns. They are not guaranteed outcomes.

Affected Products

fortiweb

Remediation & References

⚡ CISA Required Action

Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

Federal agency patch deadline: 2025-11-25

What to do

🚨Patch immediately — actively exploited in the wildcritical

CISA has confirmed exploitation of this vulnerability. Federal agencies must patch within the KEV deadline. SMBs should treat this as P0: patch or mitigate within 24–48 hours.

NVD Full Entry ↗Official vulnerability detail, CVSS vectors, CPE list CISA KEV Entry ↗CISA Known Exploited Vulnerabilities catalog EPSS Score ↗Exploit Prediction Scoring System — FIRST.org Mitre CVE ↗MITRE CVE Program official entry

Vendor & Exploit References

Fortinet PSIRT ↗GitHub Advisory Search ↗Exploit-DB ↗

Scoring Methodology

SMB Attack Probability Score weights: EPSS exploit likelihood (35%), CISA KEV active exploitation (25%), SMB stack prevalence (20%), exploit maturity (10%), CVSS network vector complexity (10%). Impact scenarios are derived from software category and historical SMB incident patterns. Scores recompute daily.