Critical Fortinet FortiWeb Flaw CVE-2025-25257 Exploited Within Hours of PoC Release

TL;DR

Hackers swiftly exploited a severe Fortinet FortiWeb vulnerability (CVE-2025-25257) just hours after a proof-of-concept (PoC) was published, leading to the compromise of numerous systems. The flaw allows unauthenticated SQL injection, enabling attackers to execute unauthorized commands.

Main Content

Fortinet FortiWeb Vulnerability Exploited

Hackers rapidly exploited a critical flaw in Fortinet FortiWeb, identified as CVE-2025-25257 with a CVSS score of 9.6, soon after a proof-of-concept (PoC) exploit was released. This vulnerability, a SQL injection issue (CWE-89), allows unauthenticated attackers to execute unauthorized SQL commands through crafted HTTP/HTTPS requests.

Vulnerability Details

The vulnerability in FortiWeb enables attackers to perform SQL injection attacks, allowing them to execute unauthorized SQL commands. According to the advisory:

“An improper neutralization of special elements used in an SQL command (‘SQL Injection’) vulnerability [CWE-89] in FortiWeb may allow an unauthenticated attacker to execute unauthorized SQL code or commands via crafted HTTP or HTTPS requests.” ¹

Fortinet has addressed this issue by releasing security patches in versions 7.6.4, 7.4.8, 7.2.11, and 7.0.11.

Responsible Disclosure and Analysis

Kentaro Kawane from GMO Cybersecurity responsibly disclosed this vulnerability. Researchers at WatchTowr conducted a detailed analysis by comparing the binary differences in Fortinet’s httpsd service between versions 7.6.3 and 7.6.4. This analysis revealed the security patches implemented to address the vulnerability ².

Exploitation and Impact

The unauthenticated SQL injection vulnerability was leveraged to achieve remote code execution (RCE). Researchers explored using MySQL’s INTO OUTFILE statement to write arbitrary files to the server’s filesystem. Due to a misconfiguration, files could be written as root, enabling more severe exploits.

Initial attempts to drop a web shell into a CGI-enabled directory failed because the files were not executable. However, researchers found an existing Python script (ml-draw.py) in the CGI directory executed by Apache via /bin/python. They utilized Python’s .pth files, which can execute arbitrary code when placed in Python’s site-packages directory.

Despite challenges with file size limits and path constraints in INTO OUTFILE, researchers bypassed these limitations by using relative file paths and extracting payload chunks from the database. Ultimately, they successfully executed code by crafting and placing a .pth file that ran their desired Python code when the CGI script was triggered.

Detection and Mitigation

WatchTowr researchers have created a Detection Artifact Generator for FortiWeb CVE-2025-25257.

Observed Exploitation

Shadowserver researchers observed 85 FortiWeb systems compromised, which decreased to 35 by July 18. The first exploitation attempts occurred on July 11, shortly after the PoC exploit code was released ³.

Current Status

Censys identified over 20,000 Fortinet FortiWeb devices online, though many are not directly exposed. Due to limited information, their vulnerability status remains unknown ⁴.

Recommendations

Administrators are strongly advised to apply the available security patches immediately to mitigate the risk of exploitation.

References

1. Fortinet (2025). “FortiGuard Security Advisory”. Fortinet. Retrieved 2025-07-19. ↩︎

2. WatchTowr Labs (2025). “Pre-Auth SQL Injection to RCE: Fortinet FortiWeb Fabric Connector (CVE-2025-25257)”. WatchTowr Labs. Retrieved 2025-07-19. ↩︎

3. Shadowserver Foundation (2025). “Twitter Status”. Twitter. Retrieved 2025-07-19. ↩︎

4. Censys (2025). “CVE-2025-25257 Advisory”. Censys. Retrieved 2025-07-19. ↩︎