Fortinet’s FortiWeb, a widely deployed web application firewall (WAF) solution, is currently under active exploitation after attackers began targeting a recently disclosed critical vulnerability. Tracked as CVE-2025-25257, the flaw enables unauthenticated remote code execution (RCE) and has been weaponized by threat actors following the public release of proof-of-concept (PoC) exploits on July 11, 2025.
Critical Vulnerability and Exploitation Timeline
Fortinet disclosed and patched CVE-2025-25257 on July 8, 2025, identifying it as a pre-authentication SQL injection vulnerability affecting multiple FortiWeb versions. The vulnerability exists in how the /api/fabric/device/status API endpoint processes certain HTTP requests. When exploited, it allows attackers to inject arbitrary SQL code and ultimately execute remote commands on the target system.
The situation escalated on July 11, when public PoC code was published, allowing for automated exploitation. By July 14, security researchers, including Shadowserver Foundation, began observing widespread exploitation in the wild. Attackers have been observed installing web shells and launching interactive reverse shells to gain persistent access to compromised systems.
Technical Details: How the Attack Works
Attackers exploit CVE-2025-25257 by modifying HTTP/HTTPS requests, particularly the Authorization header, to inject malicious SQL commands. If successful, this allows the adversary to write to the filesystem—specifically creating a .pth file in the Python site-packages directory.
When a specific CGI script is triggered, the system executes the Python interpreter, which automatically runs the malicious .pth file. This results in arbitrary code being executed with root-level privileges, granting the attacker full control of the device.
Scope and Impact
To date, more than 80 FortiWeb systems have been confirmed compromised, with victims spanning commercial enterprises and government organizations. While the full scale of the campaign is still being assessed, known affected regions include the United States, Europe, and parts of Asia. Initial access often appears opportunistic, targeting instances with exposed web interfaces and outdated firmware.
Affected Versions and Fixes
The following FortiWeb versions are vulnerable to CVE-2025-25257:
| Affected Version Ranges | Patched Version |
|---|---|
| FortiWeb 7.6.0 through 7.6.3 | Upgrade to 7.6.4 |
| FortiWeb 7.4.0 through 7.4.7 | Upgrade to 7.4.8 |
| FortiWeb 7.2.0 through 7.2.10 | Upgrade to 7.2.11 |
| FortiWeb 7.0.0 through 7.0.10 | Upgrade to 7.0.11 |
