Hackers started targeting a recently patched critical-severity vulnerability in Fortinet FortiWeb on the same day that proof-of-concept (PoC) exploit code was shared publicly.
Tracked as CVE-2025-25257 (CVSS score of 9.6), the flaw is described as an SQL injection issue that allows unauthenticated attackers to run unauthorized SQL code or commands via crafted HTTP or HTTPS requests.
Fortinet released fixes for the security defect on July 8, crediting Kentaro Kawane from GMO Cybersecurity by Ierae for reporting it.
FortiWeb versions 7.6.4, 7.4.8, 7.2.11, and 7.0.11 contain the necessary patches and users are advised to update as soon as possible, or to disable the HTTP/HTTPS administrative interface if patching is not possible.
On July 11, watchTowr Labs published technical information on the bug, explaining that it resides in a function that fails to properly sanitize user input.
After dissecting the issue, the researchers demonstrated that it could be exploited to write a python (.pth) file into the server’s site-packages directory, which led to remote code execution (RCE).
While Fortinet made no mention of the bug being exploited in the wild on July 8, the first exploitation attempts were observed on July 11, immediately after watchTowr’s blog post and PoC exploit.
The Shadowserver Foundation on Thursday saw 35 FortiWeb instances on which webshells had been planted, apparently through the exploitation of CVE-2025-25257. The number has dropped from 85 compromised deployments seen on July 14.
According to Censys, there are over 20,000 internet-accessible FortiWeb appliances, albeit many of them do not appear to be directly exposed. It is unclear how many of these are vulnerable, as Censys could not infer their version information.
Given the ongoing exploitation of the vulnerability and the position FortiWeb has in the network – it is used to connect to and manage devices in the Fortinet ecosystem – users are advised to update their deployments urgently.
Related: Fortinet, Ivanti Patch High-Severity Vulnerabilities
Related: Fortinet Patches Zero-Day Exploited Against FortiVoice Appliances
Related: Threat Actor Allegedly Selling Fortinet Firewall Zero-Day Exploit
Related: Fortinet Patches Critical FortiSwitch Vulnerability
