Get Your Free Report
Start for Free
SOCRadar® Cyber Intelligence Inc. | CVE-2025-25257: Attackers Exploit FortiWeb SQL Injection Bug for Remote Code Execution
Jul 17, 2025
4 Mins Read
Moon

CVE-2025-25257: Attackers Exploit FortiWeb SQL Injection Bug for Remote Code Execution

Cybersecurity researchers have sounded the alarm on an actively exploited vulnerability, tracked as CVE-2025-25257, affecting Fortinet’s FortiWeb appliances.

FortiWeb acts as a Web Application Firewall (WAF), a critical line of defense for enterprise applications. If these systems are compromised, attackers can pivot to broader network intrusions or tamper with sensitive web traffic.

With webshell deployments and targeted attacks already underway after Proof-of-Concept (PoC) exploit release, the clock is ticking for organizations using unpatched systems. But what exactly is this threat, and how should defenders respond?

What Is CVE-2025-25257?

CVE-2025-25257 (CVSS 9.6) is a critical SQL injection vulnerability in Fortinet’s FortiWeb Fabric Connector, a component that facilitates communication with other Fortinet products.

The flaw allows unauthenticated attackers to execute arbitrary SQL commands via specially crafted HTTP or HTTPS requests, resulting in Remote Code Execution (RCE).

CVE-2025-25257: SQL injection vulnerability in Fortinet FortiWeb Fabric Connector (SOCRadar Vulnerability Intelligence)

CVE-2025-25257: SQL injection vulnerability in Fortinet FortiWeb Fabric Connector (SOCRadar Vulnerability Intelligence)

Which FortiWeb Versions Are Affected by CVE-2025-25257?

The vulnerability impacts several FortiWeb versions, specifically:

  • 7.0.0 through 7.0.10
  • 7.2.0 through 7.2.10
  • 7.4.0 through 7.4.7
  • 7.6.0 through 7.6.3

Fortinet disclosed the flaw on July 8, 2025, but real-world attacks began soon after a Proof-of-Concept (PoC) exploit was released on July 11.

How the Exploit Works

Researchers at WatchTowr Labs found that the vulnerability stems from inadequate input sanitization within the get_fabric_user_by_token function. By crafting a malicious Authorization header and sending it to the /api/fabric/device/statusendpoint, attackers can exploit SQL injection to write a .pth file into the Python site-packages directory of the target system.

This method enables attackers to leverage Python’s import mechanism, effectively executing arbitrary code via CGI scripts and granting them ongoing remote access.

A detection script is available on GitHub to help administrators assess whether their FortiWeb systems are affected by CVE-2025-25257.

What’s Happening in the Wild?

Threat intelligence from The Shadowserver Foundation confirms that CVE-2025-25257 is being exploited in active campaigns. According to their post on the X platform, since July 11, attackers have been using it to plant webshells on vulnerable FortiWeb appliances.

As of July 15, at least 77 compromised systems have been identified; down from 85 the day before.

A tree map of the exploitation activity related to CVE-2025-25257 (Shadowserver)

A tree map of the exploitation activity related to CVE-2025-25257 (Shadowserver)

Moreover, 223 FortiWeb administrative interfaces were still exposed online as of July 15, making them likely targets if not patched.

Data from attack surface monitoring platform Censys indicates there are over 20,000 FortiWeb appliances online globally, excluding honeypots, although it is unclear how many are vulnerable.

How to Mitigate the Risk

Fortinet has released patches to address CVE-2025-25257. Organizations should upgrade FortiWeb systems to one of the following secure versions immediately:

  • 7.0.11
  • 7.2.11
  • 7.4.8
  • 7.6.4

Is There A Temporary Workaround?

If immediate patching is not possible, disable the HTTP/HTTPS administrative interface. This significantly reduces the attack surface by blocking the primary vector used in current exploitation campaigns.

Gain Full Visibility and Real-Time Vulnerability Alerts with SOCRadar

To defend effectively against threats like CVE-2025-25257, you need both clear visibility of your exposed assets and timely intelligence on emerging risks.

SOCRadar’s Attack Surface Management (ASM) constantly scans your internet-facing systems to uncover vulnerabilities before attackers exploit them. Combined with the Cyber Threat Intelligence (CTI) module, your team gains real-time alerts and actionable insights on the latest CVEs and exploit patterns.

Simplify vulnerability tracking and exploit detection with the SOCRadar XTI platform.

Simplify vulnerability tracking and exploit detection with the SOCRadar XTI platform.

SOCRadar’s key Vulnerability Intelligence capabilities include:

  • Continuous discovery and monitoring of exposed assets
  • Early detection of new vulnerabilities and exploits
  • Prioritized patching guided by real-world threat data