Critical Fortinet FortiWeb Flaw Added to CISA's Known Exploited Vulnerabilities Catalog
TL;DR
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a critical flaw in Fortinet FortiWeb, identified as CVE-2025-25257, to its Known Exploited Vulnerabilities (KEV) catalog. This SQL injection vulnerability allows unauthenticated attackers to execute unauthorized SQL commands. Immediate patching is advised due to active exploitation.
Critical Fortinet FortiWeb Flaw Added to CISA’s Known Exploited Vulnerabilities Catalog
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a critical flaw in Fortinet FortiWeb, tracked as CVE-2025-25257, to its Known Exploited Vulnerabilities (KEV) catalog 1.
Overview of the Vulnerability
The vulnerability, classified as a SQL injection flaw (CWE-89), allows unauthenticated attackers to execute unauthorized SQL commands via crafted HTTP/HTTPS requests. This critical issue, with a CVSS score of 9.6, was swiftly exploited by hackers shortly after a proof-of-concept (PoC) exploit was published on July 11, 2025.
“An improper neutralization of special elements used in an SQL command (‘SQL Injection’) vulnerability [CWE-89] in FortiWeb may allow an unauthenticated attacker to execute unauthorized SQL code or commands via crafted HTTP or HTTPS requests.” Fortinet Advisory
Patch Information
Fortinet has addressed this issue by releasing security patches in the following versions:
- 7.6.4
- 7.4.8
- 7.2.11
- 7.0.11
Discovery and Analysis
The vulnerability was reported by Kentaro Kawane from GMO Cybersecurity under responsible disclosure. WatchTowr researchers conducted a detailed analysis, including binary diffing of Fortinet’s httpsd service, to understand the patch’s impact. They discovered that the SQL injection vulnerability could be escalated to remote code execution by leveraging MySQL’s INTO OUTFILE statement, which allows writing arbitrary files to the server’s filesystem.
Due to a misconfiguration, files could be written as root, enabling more impactful exploits. The researchers used a Python script (ml-draw.py) in the CGI directory and leveraged .pth files to execute arbitrary code.
Impact and Mitigation
Censys reported observing over 20,000 Fortinet FortiWeb devices online, though many did not appear directly exposed. Administrators are strongly advised to apply the necessary patches immediately due to the public availability of exploits.
“At the time of writing, Censys observed 20,098 Fortinet FortiWeb appliances online (honeypots excluded), though many did not appear to be directly exposed.” Censys Advisory
Regulatory Compliance
According to Binding Operational Directive (BOD) 22-01, Federal Civilian Executive Branch (FCEB) agencies must address the identified vulnerabilities by the due date to protect their networks against potential attacks. CISA has set a deadline of August 8, 2025, for federal agencies to fix this vulnerability.
Conclusion
The addition of CVE-2025-25257 to CISA’s KEV catalog highlights the urgent need for organizations to prioritize patching and security measures. Active exploitation of this vulnerability underscores the importance of timely updates and vigilant monitoring to safeguard against cyber threats.
Additional Resources
For further insights, check:
References
-
U.S. Cybersecurity and Infrastructure Security Agency (CISA) (2025). “CISA Adds One Known Exploited Vulnerability Catalog”. CISA. Retrieved 2025-07-20. ↩︎