The U.S. Cybersecurity and Infrastructure Safety Company (CISA) has added a crucial Fortinet FortiWeb vulnerability to its Recognized Exploited Vulnerabilities (KEV) catalog, confirming lively exploitation of the SQL injection flaw in cyberattacks worldwide.
The vulnerability, tracked as CVE-2025-25257, impacts Fortinet’s FortiWeb net software firewall and carries a extreme CVSS rating of 9.6 out of 10.
The vulnerability arises from improper neutralization of particular components utilized in SQL instructions, permitting unauthenticated attackers to execute unauthorized SQL code or instructions by way of crafted HTTP or HTTPS requests.
“An improper neutralization of particular components utilized in an SQL command (‘SQL Injection’) vulnerability [CWE-89] in FortiWeb might enable an unauthenticated attacker to execute unauthorized SQL code or instructions by way of crafted HTTP or HTTPs requests,” Fortinet defined in its advisory.
The vulnerability resides in FortiWeb’s Material Connector element, which serves as a bridge between the firewall and different Fortinet safety merchandise.
Safety researchers found that attackers can exploit the flaw by sending malicious requests to the /api/cloth/system/standing endpoint with crafted Authorization headers.
Lively Exploitation Marketing campaign
Cybersecurity monitoring group The Shadowserver Basis has recognized widespread exploitation of the vulnerability, reporting 77 compromised FortiWeb situations as of July 15, 2025. This represents a slight lower from 85 compromised techniques detected the day prior to this.
We’re sharing Fortinet FortiWeb situations compromised with webshells seemingly by way of CVE-2025-25257. We see 77 instances on 2025-07-15, down from 85 on 2025-07-14. CVE-2025-25257 exploitation exercise noticed since Jul eleventh. Tree map overview (compromised): pic.twitter.com/uhxApqKDPY— The Shadowserver Basis (@Shadowserver) July 16, 2025
The exploitation marketing campaign started on July 11, 2025, coinciding with the general public launch of proof-of-concept exploit code by safety researchers at watchTowr Labs. This speedy weaponization demonstrates how shortly risk actors can leverage publicly out there exploits.
“We see 77 instances on 2025-07-15, down from 85 on 2025-07-14. CVE-2025-25257 exploitation exercise noticed since Jul eleventh,” The Shadowserver Basis reported.
The assaults contain deploying webshells on compromised techniques, offering persistent backdoor entry for attackers. America accounts for the very best variety of compromised units at 40, adopted by the Netherlands, Singapore, and the UK.
A number of FortiWeb variations are susceptible to the assault:
VersionAffectedSolutionFortiWeb 7.67.6.0 by means of 7.6.3Upgrade to 7.6.4 or aboveFortiWeb 7.47.4.0 by means of 7.4.7Upgrade to 7.4.8 or aboveFortiWeb 7.27.2.0 by means of 7.2.10Upgrade to 7.2.11 or aboveFortiWeb 7.07.0.0 by means of 7.0.10Upgrade to 7.0.11 or above
Fortinet launched safety patches on July 8, 2025, and confirmed on July 18 that the vulnerability “has been noticed to be exploited within the wild on FortiWeb”.
CISA strongly urges all organizations to prioritize remediation of this vulnerability, noting that “these kind of vulnerabilities are frequent assault vectors for malicious cyber actors and pose vital dangers to the federal enterprise”.
For organizations unable to instantly patch, Fortinet recommends disabling the HTTP/HTTPS administrative interface as a brief workaround. Moreover, 223 FortiWeb administration interfaces stay uncovered on-line, creating potential targets for additional compromise6.
The vulnerability was responsibly disclosed by Kentaro Kawane from GMO Cybersecurity by Ierae. Safety consultants emphasize the crucial significance of speedy patch deployment, particularly for internet-facing safety home equipment that function main defensive boundaries in opposition to cyber threats.
Increase detection, cut back alert fatigue, speed up response; all with an interactive sandbox constructed for safety groups -> Strive ANY.RUN Now
