FortiWeb Systems Compromised via Webshells After Public PoC Release
A widespread cyberattack campaign has successfully compromised dozens of Fortinet FortiWeb instances through webshell deployment, exploiting a critical vulnerability for which proof-of-concept code became publicly available just days ago.
The rapid weaponization of the exploit demonstrates the immediate risks organizations face when security flaws become public knowledge.
Critical Vulnerability Details and Impact
The attacks center around CVE-2025-25257, a critical pre-authenticated SQL injection vulnerability affecting Fortinet’s FortiWeb Web Application Firewall systems.
This flaw, with a severe CVSS score of 9.6 out of 10, allows unauthenticated attackers to execute unauthorized code remotely by sending specially crafted HTTP requests to vulnerable systems.
The vulnerability resides specifically in the FortiWeb Fabric Connector component, which integrates the WAF with other Fortinet security products.
Security researcher Kentaro Kawane of GMO Cybersecurity discovered the flaw, which Fortinet disclosed on July 8, 2025.
However, the security landscape changed dramatically on July 11 when cybersecurity firm WatchTowr and co-discoverers published proof-of-concept exploits.
These exploits demonstrated how attackers could leverage SQL injection techniques to plant webshells or establish reverse shells on vulnerable devices, providing persistent access and control.
The Shadowserver Foundation, a prominent threat monitoring organization, has been tracking the exploitation campaign since it began on July 11. Their latest data reveals concerning statistics about the scope of compromised systems:
| Metric | Count | Details |
| Confirmed Compromised Instances | 77 | Down from 85 the previous day |
| Additional Exposed Systems | 223 | Patch status unconfirmed |
| Most Affected Country | United States | 40 compromised devices |
| Other Significantly Affected | Netherlands, Singapore, UK | Multiple compromised systems each |
| Vulnerability CVSS Score | 9.6/10 | Critical severity rating |
| Public Exploit Release Date | July 11, 2025 | Same day active exploitation began |
Fortinet has responded swiftly to the threat by releasing patches and providing guidance for affected customers.
The company strongly urges immediate upgrades to secure versions, including FortiWeb 7.6.4, 7.4.8, 7.2.11, or 7.0.11 and later releases.
For organizations unable to implement patches immediately, Fortinet recommends disabling the HTTP/HTTPS administrative interface as a temporary workaround to block the primary attack vector.
The current campaign underscores cybersecurity experts’ concerns about the rapid weaponization of public exploits.
With FortiWeb systems serving as critical security infrastructure for large enterprises and government agencies, the compromise of these devices represents a significant security risk that extends beyond the immediate victims to the organizations and applications they protect.
The decrease from 85 to 77 confirmed compromised instances suggests some organizations are successfully implementing remediation measures, though the 223 additional exposed systems remain a significant concern for the cybersecurity community.
Get Free Ultimate SOC Requirements Checklist Before you build, buy, or switch your SOC for 2025 - Download Now
