A critical vulnerability in Fortinet’s FortiWeb application firewall, identified as CVE-2025-25257 with a CVSS score of 9.6, has been actively exploited in the wild following the public release of proof-of-concept (PoC) exploit code. This SQL injection flaw allows unauthenticated attackers to execute arbitrary SQL commands via specially crafted HTTP or HTTPS requests, potentially leading to unauthorized access and remote code execution.
Discovery and Disclosure
The vulnerability was initially reported by Kentaro Kawane from GMO Cybersecurity by Ierae. Fortinet addressed the issue by releasing patches on July 8, 2025, for FortiWeb versions 7.6.4, 7.4.8, 7.2.11, and 7.0.11. Users were strongly advised to update their systems promptly or disable the HTTP/HTTPS administrative interface if immediate patching was not feasible.
Technical Details and Exploitation
On July 11, 2025, watchTowr Labs published an in-depth analysis of the vulnerability, highlighting that the flaw resides in a function that fails to properly sanitize user input. By exploiting this weakness, attackers can write a Python (.pth) file into the server’s site-packages directory, leading to remote code execution. This method leverages the INTO OUTFILE feature of MySQL to create arbitrary files on the device, which are then executed by legitimate FortiWeb CGI Python scripts.
Active Exploitation in the Wild
Following the publication of the PoC, exploitation attempts were observed almost immediately. The Shadowserver Foundation reported that, as of July 17, 2025, 35 FortiWeb instances had been compromised with webshells, a decrease from 85 compromised deployments noted on July 14. These incidents underscore the rapid adoption of publicly available exploit code by malicious actors.
Scope of the Threat
According to Censys, over 20,000 internet-accessible FortiWeb appliances exist, though many do not appear to be directly exposed. The exact number of vulnerable systems remains unclear, as version information could not be inferred for all instances. Given FortiWeb’s role in managing devices within the Fortinet ecosystem, the potential impact of this vulnerability is significant.
Mitigation Recommendations
In light of ongoing exploitation, it is imperative for organizations using FortiWeb to take immediate action:
– Update Systems: Upgrade to the patched versions—7.6.4, 7.4.8, 7.2.11, or 7.0.11—as soon as possible.
– Disable Administrative Interfaces: If immediate patching is not possible, disable the HTTP/HTTPS administrative interface to prevent unauthorized access.
– Monitor for Indicators of Compromise: Regularly inspect FortiWeb instances for signs of unauthorized access or webshell installations.
– Restrict Access: Ensure that management interfaces are not exposed to untrusted networks, including the internet.
Conclusion
The rapid exploitation of CVE-2025-25257 following the release of PoC code highlights the critical need for prompt patching and vigilant security practices. Organizations must prioritize updating their FortiWeb appliances and implementing recommended mitigations to safeguard against potential breaches.
