CISA Warns of Fortinet FortiWeb SQL Injection Vulnerability Exploited in Attacks
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a critical Fortinet FortiWeb vulnerability to its Known Exploited Vulnerabilities (KEV) catalog, confirming active exploitation of the SQL injection flaw in cyberattacks worldwide.
The vulnerability, tracked as CVE-2025-25257, affects Fortinet’s FortiWeb web application firewall and carries a severe CVSS score of 9.6 out of 10.
The vulnerability arises from improper neutralization of special elements used in SQL commands, allowing unauthenticated attackers to execute unauthorized SQL code or commands via crafted HTTP or HTTPS requests.
“An improper neutralization of special elements used in an SQL command (‘SQL Injection’) vulnerability [CWE-89] in FortiWeb may allow an unauthenticated attacker to execute unauthorized SQL code or commands via crafted HTTP or HTTPs requests,” Fortinet explained in its advisory.
The vulnerability resides in FortiWeb’s Fabric Connector component, which serves as a bridge between the firewall and other Fortinet security products.
Security researchers discovered that attackers can exploit the flaw by sending malicious requests to the /api/fabric/device/status endpoint with crafted Authorization headers.
Active Exploitation Campaign
Cybersecurity monitoring organization The Shadowserver Foundation has identified widespread exploitation of the vulnerability, reporting 77 compromised FortiWeb instances as of July 15, 2025. This represents a slight decrease from 85 compromised systems detected the previous day.
The exploitation campaign began on July 11, 2025, coinciding with the public release of proof-of-concept exploit code by security researchers at watchTowr Labs. This rapid weaponization demonstrates how quickly threat actors can leverage publicly available exploits.
“We see 77 cases on 2025-07-15, down from 85 on 2025-07-14. CVE-2025-25257 exploitation activity observed since Jul 11th,” The Shadowserver Foundation reported.
The attacks involve deploying webshells on compromised systems, providing persistent backdoor access for attackers. The United States accounts for the highest number of compromised devices at 40, followed by the Netherlands, Singapore, and the United Kingdom.
Multiple FortiWeb versions are vulnerable to the attack:
| Version | Affected | Solution |
|---|---|---|
| FortiWeb 7.6 | 7.6.0 through 7.6.3 | Upgrade to 7.6.4 or above |
| FortiWeb 7.4 | 7.4.0 through 7.4.7 | Upgrade to 7.4.8 or above |
| FortiWeb 7.2 | 7.2.0 through 7.2.10 | Upgrade to 7.2.11 or above |
| FortiWeb 7.0 | 7.0.0 through 7.0.10 | Upgrade to 7.0.11 or above |
Fortinet released security patches on July 8, 2025, and confirmed on July 18 that the vulnerability “has been observed to be exploited in the wild on FortiWeb”.
CISA strongly urges all organizations to prioritize remediation of this vulnerability, noting that “these types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise”.
For organizations unable to immediately patch, Fortinet recommends disabling the HTTP/HTTPS administrative interface as a temporary workaround. Additionally, 223 FortiWeb management interfaces remain exposed online, creating potential targets for further compromise6.
The vulnerability was responsibly disclosed by Kentaro Kawane from GMO Cybersecurity by Ierae. Security experts emphasize the critical importance of rapid patch deployment, especially for internet-facing security appliances that serve as primary defensive barriers against cyber threats.
Boost detection, reduce alert fatigue, accelerate response; all with an interactive sandbox built for security teams -> Try ANY.RUN Now
