How is the FortiWeb vulnerability CVE-2025-25257 being exploited?

Security researchers detected attacks sending malicious requests to the `/api/fabric/device/status` endpoint with specially crafted Authorization headers. The vulnerability is exploited via a function called `get_fabric_user_by_token` within FortiWeb's httpsd service, which fails to properly sanitize Bearer tokens from HTTP Authorization headers before incorporating them into SQL queries.

What is the CVSS score for the FortiWeb vulnerability?

CVE-2025-25257 has a CVSS score of 9.6, which represents a critical severity level. This high score reflects the unauthenticated remote code execution capability and the potential for significant impact on affected systems.

What type of vulnerability is CVE-2025-25257?

CVE-2025-25257 is an unauthenticated SQL injection vulnerability that affects FortiWeb web application firewalls. It allows remote attackers to execute unauthorized SQL code or commands without authentication through specially crafted HTTP or HTTPS requests.

Who released the proof-of-concept exploit for the FortiWeb vulnerability?

watchTowr Labs released proof-of-concept exploit code for CVE-2025-25257 on July 11, 2025, which coincided with the beginning of active exploitation campaigns targeting vulnerable FortiWeb instances.

What endpoint is being targeted in FortiWeb attacks?

Security researchers detected attacks targeting the `/api/fabric/device/status` endpoint on FortiWeb devices. Attackers are sending malicious requests to this endpoint with specially crafted Authorization headers to exploit the SQL injection vulnerability.

What is FortiWeb and why is this vulnerability significant?

FortiWeb is a web application firewall designed to protect web applications from attacks. This vulnerability is particularly significant because it affects a security device that organizations rely on for protection, and the unauthenticated nature of the exploit makes it easily accessible to attackers.

Attack

Critical Fortinet FortiWeb SQL injection vulnerability actively exploited

Q: What is CVE-2025-25257 affecting FortiWeb?

CVE-2025-25257 is a critical vulnerability affecting FortiWeb web application firewall with a CVSS score of 9.6. It's caused by improper neutralization of special elements used in SQL commands, creating an unauthenticated SQL injection weakness that allows remote attackers to execute unauthorized SQL code or commands via crafted HTTP or HTTPS requests.

Q: When did active exploitation of the FortiWeb vulnerability begin?

Exploitation of CVE-2025-25257 began on July 11, 2025, on the same day as the public release of proof-of-concept exploit code by watchTowr Labs. This rapid exploitation demonstrates the critical nature of this vulnerability.

Q: Which countries have the most compromised FortiWeb devices?

The United States accounts for the highest number of compromised devices at 40 instances, followed by the Netherlands, Singapore, and the United Kingdom.

Q: Has CISA responded to the FortiWeb vulnerability?

Yes, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has confirmed the active exploitation by adding CVE-2025-25257 to its Known Exploited Vulnerabilities (KEV) catalog. CISA strongly urges all organizations to prioritize remediation of this vulnerability.

published: July 19, 2025

Take action: If you have Fortinet FortiWeb systems running versions 7.0 through 7.6.3, time to act NOW. Make sure it's web admin interface is isolated from the internet and accessible from trusted networks. Then plan a VERY QUICK patch, there is an exploit PoC public and hackers are actively attacking the systems.

Learn More

Security researchers report active exploitation of the vulnerability affecting FortiWeb web application firewall.

The flaw is tracked as CVE-2025-25257 (CVSS score 9.6), is caused by improper neutralization of special elements used in SQL commands, creating an unauthenticated SQL injection weakness that allows remote attackers to execute unauthorized SQL code or commands via crafted HTTP or HTTPS requests.

Security researchers detected attacks that are sending malicious requests to the /api/fabric/device/status endpoint with specially crafted Authorization headers. The vulnerability is exploited via a a function called get_fabric_user_by_token within FortiWeb's httpsd service, which fails to properly sanitize Bearer tokens from HTTP Authorization headers before incorporating them into SQL queries.

Exploitation of the vulnerability began on July 11, 2025, on the same day with the public release of proof-of-concept exploit code by watchTowr Labs. The Shadowserver Foundation has been monitoring the exploitation campaign and reported 85 compromised FortiWeb instances on July 14, which decreased slightly to 77 on July 15, then further dropped to 35 by July 18, 2025.

United States accounts for the highest number of compromised devices at 40 instances, followed by the Netherlands, Singapore, and the United Kingdom.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has confirmed the active exploitation by adding CVE-2025-25257 to its Known Exploited Vulnerabilities (KEV) catalog. CISA strongly urges all organizations to prioritize remediation of this vulnerability.

Critical Fortinet FortiWeb SQL injection vulnerability actively exploited

Read More
CISA reports active exploitation of Oracle AgilePLM flaws
Windows kernel flaw actively exploited
FBI and Cisco warn of hackers exploiting seven-year-old …
CISA warns of critical Oracle flaw actively exploited
CISA reports active exploitation of GeoServer XXE flaw