Cyber Posture

CVE-2025-58034

HighCISA KEVActive Exploitation

Published: 18 November 2025

Published
18 November 2025
Modified
21 November 2025
KEV Added
18 November 2025
Patch
CVSS Score 7.2 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.4264 97.5th percentile
Risk Priority 60 60% EPSS · 20% KEV · 20% CVSS

Description

An Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability [CWE-78] vulnerability in Fortinet FortiWeb 8.0.0 through 8.0.1, FortiWeb 7.6.0 through 7.6.5, FortiWeb 7.4.0 through 7.4.10, FortiWeb 7.2.0 through 7.2.11, FortiWeb 7.0.0 through 7.0.11 may…

more

allow an authenticated attacker to execute unauthorized code on the underlying system via crafted HTTP requests or CLI commands.

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match
prevent

Directly mitigates OS command injection by requiring validation and sanitization of crafted HTTP requests and CLI commands containing special elements.

SI-2 Flaw Remediation good match
prevent

Addresses the specific flaw in FortiWeb by requiring timely identification, reporting, and patching of the improper neutralization vulnerability.

AC-6 Least Privilege partial match
prevent

Limits the impact of unauthorized code execution by authenticated high-privilege attackers through enforcement of least privilege on the underlying system.

Security SummaryAI

CVE-2025-58034 is an Improper Neutralization of Special Elements used in an OS Command, classified as an OS Command Injection vulnerability (CWE-78), affecting multiple versions of Fortinet FortiWeb. The impacted releases include FortiWeb 8.0.0 through 8.0.1, 7.6.0 through 7.6.5, 7.4.0 through 7.4.10, 7.2.0 through 7.2.11, and 7.0.0 through 7.0.11. Published on 2025-11-18, it carries a CVSS v3.1 base score of 7.2 (AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to its potential for significant impact.

An authenticated attacker with high privileges (PR:H) can exploit this vulnerability remotely over the network (AV:N) with low complexity (AC:L) and no user interaction required (UI:N). By crafting specific HTTP requests or CLI commands, the attacker may execute unauthorized code on the underlying system, achieving high impacts across confidentiality, integrity, and availability (C:H/I:H/A:H) within the unchanged scope (S:U).

Fortinet's PSIRT advisory provides details on mitigation and patches at https://fortiguard.fortinet.com/psirt/FG-IR-25-513. The vulnerability is also listed in CISA's Known Exploited Vulnerabilities Catalog at https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-58034, signaling real-world exploitation and urging immediate remediation.

Details

CWE(s)
CWE-78
KEV Date Added
18 November 2025

Affected Products

fortinet
fortiweb
7.0.0 — 7.0.12 · 7.2.0 — 7.2.12 · 7.4.0 — 7.4.11

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
T1059.004 Unix Shell Execution
Adversaries may abuse Unix shell commands and scripts for execution.
attack.mitre.org →
Why these techniques?

CVE-2025-58034 is an OS command injection in a public-facing FortiWeb appliance, directly enabling exploitation of public-facing applications (T1190) and execution via Unix shell (T1059.004) through crafted HTTP requests or CLI commands.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References