The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a critical Fortinet FortiWeb vulnerability to its Known Exploited Vulnerabilities (KEV) catalog, confirming active exploitation of the SQL injection flaw in cyberattacks worldwide.The vulnerability, tracked as CVE-2025-25257, affects Fortinet’s FortiWeb web application firewall and carries a severe CVSS score of 9.6 out of 10.The vulnerability arises from improper neutralization of special elements used in SQL commands, allowing unauthenticated attackers to execute unauthorized SQL code or commands via crafted HTTP or HTTPS requests.’An improper neutralization of special elements used in an SQL command (‘SQL Injection’) vulnerability -[CWE-89-] in FortiWeb may allow an unauthenticated attacker to execute unauthorized SQL code or commands via crafted HTTP or HTTPs requests,’ Fortinet explained in its [advisory.](https://cybersecuritynews.com/fortiweb-sql-injection-vulnerability/)The vulnerability resides in FortiWeb’s Fabric Connector component, which serves as a bridge between the firewall and other Fortinet security products.Security researchers discovered that attackers can exploit the flaw by sending malicious requests to the `/api/fabric/device/status` endpoint with crafted Authorization headers.**Active Exploitation Campaign**——————————–Cybersecurity monitoring organization The Shadowserver Foundation has identified widespread exploitation of the vulnerability, reporting 77 compromised FortiWeb instances as of July 15, 2025. This represents a slight decrease from 85 compromised systems detected the previous day.> We are sharing Fortinet FortiWeb instances compromised with webshells likely via CVE-2025-25257. We see 77 cases on 2025-07-15, down from 85 on 2025-07-14. CVE-2025-25257 exploitation activity observed since Jul 11th. >>> Tree map overview (compromised): [pic.twitter.com/uhxApqKDPY](https://t.co/uhxApqKDPY)> — The Shadowserver Foundation (@Shadowserver) [July 16, 2025](https://twitter.com/Shadowserver/status/1945407662805454871?ref_src=twsrc%5Etfw)The exploitation campaign began on July 11, 2025, coinciding with the public [release of](https://cybersecuritynews.com/fortiweb-fabric-connector-vulnerability-exploited/)proof-of-concept exploit code by security researchers at watchTowr Labs. This rapid weaponization demonstrates how quickly threat actors can leverage publicly available exploits.’We see 77 cases on 2025-07-15, down from 85 on 2025-07-14. CVE-2025-25257 exploitation activity observed since Jul 11th,’ The Shadowserver Foundation reported.The attacks involve deploying webshells on compromised systems, providing persistent backdoor access for attackers. The United States accounts for the highest number of compromised devices at 40, followed by the Netherlands, Singapore, and the United Kingdom.Multiple FortiWeb versions are vulnerable to the attack:Version Affected Solution FortiWeb 7.6 7.6.0 through 7.6.3 Upgrade to 7.6.4 or above FortiWeb 7.4 7.4.0 through 7.4.7 Upgrade to 7.4.8 or above FortiWeb 7.2 7.2.0 through 7.2.10 Upgrade to 7.2.11 or above FortiWeb 7.0 7.0.0 through 7.0.10 Upgrade to 7.0.11 or aboveFortinet released security patches on July 8, 2025, and confirmed on July 18 that the vulnerability ‘has been observed to be exploited in the wild on FortiWeb’.CISA strongly [urges](https://www.cisa.gov/known-exploited-vulnerabilities-catalog) all organizations to prioritize remediation of this vulnerability, noting that ‘these types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise’.For organizations unable to immediately patch, Fortinet recommends disabling the HTTP/HTTPS administrative interface as a temporary workaround. Additionally, 223 FortiWeb management interfaces remain exposed online, creating potential targets for further compromise[6](https://www.linkedin.com/posts/the-shadowserver-foundation_cybersecurity-cybercrime-webshells-activity-7351175680211980289-d1C6).The vulnerability was responsibly disclosed by Kentaro Kawane from GMO Cybersecurity by Ierae. Security experts emphasize the critical importance of rapid patch deployment, especially for internet-facing security appliances that serve as primary defensive barriers against cyber threats.Boost detection, reduce alert fatigue, accelerate response; all with an interactive sandbox built for security teams –>**[Try ANY.RUN Now](https://any.run/demo?utm_source=csn&utm_medium=article&utm_campaign=top3_ciso_challenges&utm_content=demo_1&utm_term=160725)**The post [CISA Warns of Fortinet FortiWeb SQL Injection Vulnerability Exploited in Attacks](https://cybersecuritynews.com/cisa-fortinet-fortiweb-vulnerability/) appeared first on [Cyber Security News](https://cybersecuritynews.com).
Related Tags:
NAICS: 56 – Administrative And Support And Waste Management And Remediation Services
NAICS: 54 – Professional
Scientific
Technical Services
NAICS: 561 – Administrative And Support Services
NAICS: 541 – Professional
Scientific
Technical Services
NAICS: 518 – Computing Infrastructure Providers
Data Processing
Web Hosting
Related Services
NAICS: 51 – Information
Blog: Cybersecurity News
Server Software Component: Web Shell
Server Software Component
Associated Indicators:
null