{"id":5475,"date":"2025-07-19T10:04:16","date_gmt":"2025-07-19T10:04:16","guid":{"rendered":"https:\/\/serisec.com\/index.php\/2025\/07\/19\/cisa-warns-of-fortinet-fortiweb-sql-injection-vulnerability-exploited-in-attacks\/"},"modified":"2025-07-19T10:04:16","modified_gmt":"2025-07-19T10:04:16","slug":"cisa-warns-of-fortinet-fortiweb-sql-injection-vulnerability-exploited-in-attacks","status":"publish","type":"post","link":"https:\/\/serisec.com\/index.php\/2025\/07\/19\/cisa-warns-of-fortinet-fortiweb-sql-injection-vulnerability-exploited-in-attacks\/","title":{"rendered":"CISA Warns of Fortinet FortiWeb SQL Injection Vulnerability Exploited in Attacks"},"content":{"rendered":"<p>    CISA Warns of Fortinet FortiWeb SQL Injection Vulnerability Exploited in Attacks<br \/>\n \t<BR><br \/>\n<BR><\/BR><br \/>\n    <!-- no image --><br \/>\n \t<BR><br \/>\n<BR><\/BR><\/p>\n<div>\n<p>The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a critical Fortinet FortiWeb vulnerability to its Known Exploited Vulnerabilities (KEV) catalog, confirming active exploitation of the SQL injection flaw in cyberattacks worldwide.<\/p>\n<p>The vulnerability, tracked as CVE-2025-25257, affects Fortinet\u2019s FortiWeb web application firewall and carries a severe CVSS score of 9.6 out of 10.<\/p>\n<p>The vulnerability arises from improper neutralization of special elements used in SQL commands, allowing unauthenticated attackers to execute unauthorized SQL code or commands via crafted HTTP or HTTPS requests.<\/p>\n<p>\u201cAn improper neutralization of special elements used in an SQL command (\u2018SQL Injection\u2019) vulnerability [CWE-89] in FortiWeb may allow an unauthenticated attacker to execute unauthorized SQL code or commands via crafted HTTP or HTTPs requests,\u201d Fortinet explained in its <a href=\"https:\/\/cybersecuritynews.com\/fortiweb-sql-injection-vulnerability\/\" target=\"_blank\" rel=\"noreferrer noopener\">advisory.<\/a><\/p>\n<p>The vulnerability resides in FortiWeb\u2019s Fabric Connector component, which serves as a bridge between the firewall and other Fortinet security products.<\/p>\n<p>Security researchers discovered that attackers can exploit the flaw by sending malicious requests to the <code>\/api\/fabric\/device\/status<\/code> endpoint with crafted Authorization headers.<\/p>\n<h2 class=\"wp-block-heading\" id=\"active-exploitation-campaign\"><strong>Active Exploitation Campaign<\/strong><\/h2>\n<p>Cybersecurity monitoring organization The Shadowserver Foundation has identified widespread exploitation of the vulnerability, reporting 77 compromised FortiWeb instances as of July 15, 2025. This represents a slight decrease from 85 compromised systems detected the previous day.<\/p>\n<figure class=\"wp-block-embed is-type-rich is-provider-twitter wp-block-embed-twitter\">\n<div class=\"wp-block-embed__wrapper\">\n<blockquote class=\"twitter-tweet\" data-width=\"550\" data-dnt=\"true\">\n<p lang=\"en\" dir=\"ltr\">We are sharing Fortinet FortiWeb instances compromised with webshells likely via CVE-2025-25257.  We see 77 cases on 2025-07-15, down from 85 on 2025-07-14. CVE-2025-25257 exploitation activity observed since Jul 11th.  <\/p>\n<p>Tree map overview (compromised): <a href=\"https:\/\/t.co\/iB95TIf7fa\">https:\/\/t.co\/iB95TIf7fa<\/a> <a href=\"https:\/\/t.co\/uhxApqKDPY\">pic.twitter.com\/uhxApqKDPY<\/a><\/p>\n<p>\u2014 The Shadowserver Foundation (@Shadowserver) <a href=\"https:\/\/twitter.com\/Shadowserver\/status\/1945407662805454871?ref_src=twsrc%5Etfw\">July 16, 2025<\/a>\n<\/p><\/blockquote>\n<p><script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script>\n<\/div>\n<\/figure>\n<p>The exploitation campaign began on July 11, 2025, coinciding with the public <a href=\"https:\/\/cybersecuritynews.com\/fortiweb-fabric-connector-vulnerability-exploited\/\" target=\"_blank\" rel=\"noreferrer noopener\">release of <\/a>proof-of-concept exploit code by security researchers at watchTowr Labs. This rapid weaponization demonstrates how quickly threat actors can leverage publicly available exploits.<\/p>\n<p>\u201cWe see 77 cases on 2025-07-15, down from 85 on 2025-07-14. CVE-2025-25257 exploitation activity observed since Jul 11th,\u201d The Shadowserver Foundation reported.<\/p>\n<p>The attacks involve deploying webshells on compromised systems, providing persistent backdoor access for attackers. The United States accounts for the highest number of compromised devices at 40, followed by the Netherlands, Singapore, and the United Kingdom.<\/p>\n<p>Multiple FortiWeb versions are vulnerable to the attack:<\/p>\n<figure class=\"wp-block-table\">\n<table class=\"has-fixed-layout\">\n<thead>\n<tr>\n<th>Version<\/th>\n<th>Affected<\/th>\n<th>Solution<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td>FortiWeb 7.6<\/td>\n<td>7.6.0 through 7.6.3<\/td>\n<td>Upgrade to 7.6.4 or above<\/td>\n<\/tr>\n<tr>\n<td>FortiWeb 7.4<\/td>\n<td>7.4.0 through 7.4.7<\/td>\n<td>Upgrade to 7.4.8 or above<\/td>\n<\/tr>\n<tr>\n<td>FortiWeb 7.2<\/td>\n<td>7.2.0 through 7.2.10<\/td>\n<td>Upgrade to 7.2.11 or above<\/td>\n<\/tr>\n<tr>\n<td>FortiWeb 7.0<\/td>\n<td>7.0.0 through 7.0.10<\/td>\n<td>Upgrade to 7.0.11 or above<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/figure>\n<p>Fortinet released security patches on July 8, 2025, and confirmed on July 18 that the vulnerability \u201chas been observed to be exploited in the wild on FortiWeb\u201d.<\/p>\n<p>CISA strongly <a href=\"https:\/\/www.cisa.gov\/known-exploited-vulnerabilities-catalog\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">urges<\/a> all organizations to prioritize remediation of this vulnerability, noting that \u201cthese types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise\u201d.<\/p>\n<p>For organizations unable to immediately patch, Fortinet recommends disabling the HTTP\/HTTPS administrative interface as a temporary workaround. Additionally, 223 FortiWeb management interfaces remain exposed online, creating potential targets for further compromise<a href=\"https:\/\/www.linkedin.com\/posts\/the-shadowserver-foundation_cybersecurity-cybercrime-webshells-activity-7351175680211980289-d1C6\" target=\"_blank\" rel=\"noreferrer noopener\">6<\/a>.<\/p>\n<p>The vulnerability was responsibly disclosed by Kentaro Kawane from GMO Cybersecurity by Ierae. Security experts emphasize the critical importance of rapid patch deployment, especially for internet-facing security appliances that serve as primary defensive barriers against cyber threats.<\/p>\n<p class=\"has-text-align-center has-background\" style=\"background:linear-gradient(180deg,rgb(238,238,238) 88%,rgb(169,184,195) 100%)\">Boost detection, reduce alert fatigue, accelerate response; all with an interactive sandbox built for security teams -&gt;<strong>\u00a0<a href=\"https:\/\/any.run\/demo?utm_source=csn&amp;utm_medium=article&amp;utm_campaign=top3_ciso_challenges&amp;utm_content=demo_1&amp;utm_term=160725\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">Try ANY.RUN Now<\/a>\u00a0<\/strong><\/p>\n<ol class=\"wp-block-list\"><\/ol>\n<p>The post <a href=\"https:\/\/cybersecuritynews.com\/cisa-fortinet-fortiweb-vulnerability\/\">CISA Warns of Fortinet FortiWeb SQL Injection Vulnerability Exploited in Attacks<\/a> appeared first on <a href=\"https:\/\/cybersecuritynews.com\/\">Cyber Security News<\/a>.<\/p>\n<\/div>\n<p> \t<BR><br \/>\n <BR><\/BR><br \/>\n    Guru Baran<br \/>\n \t<BR><br \/>\n<BR><\/BR><br \/>\n<a href=\"https:\/\/cybersecuritynews.com\/cisa-fortinet-fortiweb-vulnerability\/\">Go to cyber-security-news<\/a><br \/>\n \t<BR><br \/>\n <BR><\/BR><\/p>\n","protected":false},"excerpt":{"rendered":"<p>CISA Warns of Fortinet FortiWeb SQL Injection Vulnerability Exploited in Attacks The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a critical Fortinet FortiWeb vulnerability to its Known Exploited Vulnerabilities (KEV) catalog, confirming active exploitation of the SQL injection flaw in cyberattacks worldwide. The vulnerability, tracked as CVE-2025-25257, affects Fortinet\u2019s FortiWeb web application firewall [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[129,63,131,648],"tags":[130],"class_list":["post-5475","post","type-post","status-publish","format-standard","hentry","category-cyber-security","category-cyber-security-news","category-vulnerability","category-vulnerability-news","tag-cyber-security-news"],"_links":{"self":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts\/5475"}],"collection":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/comments?post=5475"}],"version-history":[{"count":0,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts\/5475\/revisions"}],"wp:attachment":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/media?parent=5475"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/categories?post=5475"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/tags?post=5475"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}