Zoonop

Fortinet FortiWeb Vulnerability Exploited: Dozens of Instances Compromised Following Public PoC Release

Image for Fortinet FortiWeb Vulnerability Exploited: Dozens of Instances Compromised Following Public PoC Release

Global cybersecurity firms are urging immediate action as a critical vulnerability in Fortinet's FortiWeb web application firewall, tracked as CVE-2025-25257, is being actively exploited in the wild. The Shadowserver Foundation reported identifying 35 compromised FortiWeb instances as of Thursday, a decrease from 85 observed earlier in the week, indicating ongoing exploitation and remediation efforts.

The vulnerability, an unauthenticated SQL injection flaw with a high CVSS score of 9.6, allows attackers to execute unauthorized SQL commands or even gain remote code execution (RCE) on affected systems. Fortinet initially released patches for this flaw on July 8, 2025, following its discovery by Kentaro Kawane of GMO Cybersecurity. However, the risk escalated significantly after Proof-of-Concept (PoC) exploit code was publicly released on July 11, leading to rapid weaponization by threat actors.

According to Fortinet's advisory, the flaw resides in the FortiWeb's Graphical User Interface (GUI) component, specifically due to improper neutralization of special elements in SQL statements. Exploitation involves crafting malicious HTTP or HTTPS requests to the /api/fabric/device/status endpoint. Successful exploitation can lead to the deployment of webshells, granting persistent access and control to attackers.

The Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2025-25257 to its Known Exploited Vulnerabilities (KEV) Catalog, emphasizing the urgency for all organizations, including federal agencies, to apply the necessary patches. Affected FortiWeb versions include 7.6.0 through 7.6.3, 7.4.0 through 7.4.7, 7.2.0 through 7.2.10, and 7.0.0 through 7.0.10. Users are advised to upgrade to FortiWeb 7.6.4, 7.4.8, 7.2.11, or 7.0.11 and above.

For organizations unable to immediately patch, Fortinet recommends disabling the HTTP/HTTPS administrative interface as a temporary workaround to mitigate the attack vector. Cybersecurity experts highlight that the rapid exploitation of this vulnerability underscores the critical need for prompt patching and robust vulnerability management practices, especially for systems like FortiWeb that serve as crucial defense layers for web applications and APIs.