Fortinet FortiWeb Instances Hacked with Webshells Following Public PoC Exploits
Dozens of Fortinet FortiWeb instances have been compromised with webshells in a widespread hacking campaign, according to the threat monitoring organization The Shadowserver Foundation.
The attacks are linked to a critical vulnerability, tracked as CVE-2025-25257, for which public proof-of-concept (PoC) exploits were released just days ago.
Key Takeaways
1. Attackers are actively compromising Fortinet FortiWeb instances with webshells by exploiting a critical SQL injection vulnerability, tracked as CVE-2025-25257.
2. The campaign began around July 11, immediately after security researchers released public proof-of-concept (PoC) exploits, making it easy for threat actors to weaponize the flaw.
3. The Shadowserver Foundation has identified 77 compromised devices as of July 15 and warns that over 200 additional FortiWeb management interfaces remain exposed online, leaving them highly vulnerable if unpatched.
4. Fortinet has already released security updates and strongly urges customers to upgrade their systems immediately or disable the administrative interface to block the attack vector and prevent compromise.
The Shadowserver Foundation reported on Tuesday that it had identified 77 compromised FortiWeb instances, a slight decrease from 85 the previous day. The organization noted that active exploitation of the vulnerability has been observed since July 11, the same day researchers made exploit code publicly available.
The vulnerability at the heart of these attacks, CVE-2025-25257, is a critical pre-authenticated SQL injection (SQLi) flaw in the FortiWeb graphical user interface.
With a CVSS severity score of 9.6 out of 10, the flaw allows unauthenticated attackers to execute unauthorized code or commands remotely by sending specially crafted HTTP requests.
Fortinet, a major cybersecurity and firewall vendor, uses the FortiWeb appliance as a Web Application Firewall (WAF) to protect web applications and APIs for large enterprises and government agencies.
Fortinet disclosed the vulnerability on July 8, 2025, and released patches to address it. The flaw, discovered by security researcher Kentaro Kawane of GMO Cybersecurity, resides in the FortiWeb Fabric Connector, a component that integrates the WAF with other Fortinet security products.
However, on July 11, cybersecurity firm WatchTowr and one of the flaw’s co-discoverers published PoC exploits, dramatically escalating the risk for organizations running unpatched versions.
The exploits demonstrated how an attacker could leverage SQL injection to plant a webshell or open a reverse shell on a vulnerable device, granting them persistent access and control.
The current wave of attacks confirms cybersecurity experts’ fears that threat actors would quickly weaponize the public exploits. According to Shadowserver, an additional 223 FortiWeb management interfaces remained exposed to the internet as of July 15.
While their patch status is unconfirmed, these systems are considered highly likely to be compromised if they have not been updated. The United States has the highest number of compromised devices at 40, followed by the Netherlands, Singapore, and the United Kingdom.
Fortinet has urged customers to immediately upgrade to secure versions, including FortiWeb 7.6.4, 7.4.8, 7.2.11, or 7.0.11 and later.
For organizations unable to apply the patches right away, the company recommends disabling the HTTP/HTTPS administrative interface as a temporary workaround to block the attack vector.
Investigate live malware behavior, trace every step of an attack, and make faster, smarter security decisions -> Try ANY.RUN now
