Unauthorized Access Granted to Fortinet FortiWeb Instances Through Published Proof-of-Concept Exploits, Resulting in the Installation of Webshells
A critical SQL injection vulnerability, CVE-2025-25257, has been discovered in Fortinet's FortiWeb web application firewall, putting thousands of devices at risk. The flaw, with a CVSS severity score of 9.6 out of 10, allows unauthenticated attackers to execute arbitrary SQL commands and even achieve remote code execution on vulnerable FortiWeb appliances.
The vulnerability lies within the Fabric Connector component of FortiWeb, specifically the /api/fabric/device/status endpoint. The issue arises due to the HTTP Authorization header's Bearer token being used directly in an SQL query without proper sanitization, enabling attackers to inject malicious SQL commands by crafting special HTTP or HTTPS requests.
The exploit targets a Python CGI script (/cgi-bin/ml-draw.py) and deploys malicious Python .pth files to achieve code execution under the Python context on the device. This poses risks to system integrity, data confidentiality, and availability.
As of July 15, over 5,000 potentially vulnerable FortiWeb instances were found exposed online. Shadowserver reported a widespread hacking campaign involving the compromise of dozens of Fortinet FortiWeb instances. The attacks are ongoing.
Fortinet disclosed the vulnerability on July 8 and released patches to address it on July 12. However, proof-of-concept exploits and technical write-ups have been publicly released, increasing the risk of active exploitation. No widespread active exploitation has been reported yet, but the availability of exploits means the risk is imminent and serious.
Organizations using FortiWeb are urged to immediately apply the security patches released by Fortinet. If patching is not immediately possible, network controls can be used to restrict access to the vulnerable API endpoints to prevent unauthorized HTTP requests. Network traffic and logs should be monitored for suspicious requests, especially unusual Authorization header usage. Configuration settings should be reviewed to ensure minimal exposure and limit the attacker surface.
In addition to patching, Fortinet recommends disabling the HTTP/HTTPS administrative interface as a temporary workaround for organizations unable to apply the patches right away. For those who cannot disable the interface, Fortinet suggests implementing strong authentication measures and access controls.
This vulnerability underscores the importance of regular software updates and vigilant cybersecurity practices. As the threat landscape continues to evolve, it is crucial for organizations to stay informed and proactive in protecting their systems and data.
[1] Fortinet Security Advisory: https://www.fortinet.com/support/security-advisories/fortinet-sa-2025-25257.html [2] Shadowserver Alert: https://www.shadowserver.org/alerts/shadowserver-alert-20250714-fortinet-fortiweb-waf-sqli-vulnerability/ [3] WatchTower APT Alert: https://www.watchtower.ai/alert/ap-2025-02-fortinet-fortiweb-sqli-vulnerability-cve-2025-25257/ [4] CVE Details: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-25257
Security researchers have identified a critical SQL injection vulnerability, CVE-2025-25257, in Fortinet's FortiWeb web application firewall, which could potentially affect thousands of devices. The vulnerability is found within the Fabric Connector component, specifically the /api/fabric/device/status endpoint, and can enable unauthenticated attackers to execute arbitrary SQL commands or even achieve remote code execution on vulnerable FortiWeb appliances due to insufficient technology used for SQL query sanitization.
