Cybercriminals allegedly planning assaults on vital Fortinet software, according to recent warnings issued by researchers.
In the realm of cybersecurity, a critical vulnerability has been identified in Fortinet's FortiWeb Fabric Connector. The flaw, tracked as CVE-2025-25257, has been added to the catalog of known exploited vulnerabilities by the Cybersecurity and Infrastructure Security Agency (CISA).
This vulnerability, which allows unauthenticated attackers to execute arbitrary SQL commands, has been given a CVSS score of 9.6, signifying its high severity. Successful exploitation can lead to remote code execution (RCE), data theft, privilege escalation, and potential full system compromise.
The vulnerability has been found to affect FortiWeb versions 7.0.0–7.0.10, 7.2.0–7.2.10, 7.4.0–7.4.7, and 7.6.0–7.6.3. The Fabric Connector component, which integrates FortiWeb with Fortinet products like FortiGate and FortiSandbox, is the target of the exploit. Attackers can bypass WAF protections, deploy webshells, persistently backdoor devices, disrupt services, and manipulate sensitive data or configurations.
Researchers at watchTowr published extensive research on the vulnerability last week, and Fortinet confirmed exploitation of the vulnerability in an update to its security guidance. Detection tools and patches have been issued by Fortinet and security vendors, with urgent patching strongly advised to prevent compromise.
Patrick Garrity, a security researcher at VulnCheck, stated that Fortinet may not have been aware of exploitation prior to the disclosure. Since signatures and detections have been written, other organizations are now detecting exploitation of the vulnerability.
The Shadowserver Foundation, a non-profit organization dedicated to cyber threat intelligence, detected 85 compromised instances on Monday and 77 instances on Tuesday. The foundation has seen active exploitation since July 11.
Ryan Dewhurst, head of proactive threat intelligence at watchTowr, advised that the advisory published by Fortinet considers the risk as critical. With active exploitation documented and significant impact potential on both FortiWeb and interconnected Fortinet security products if unpatched, this vulnerability poses a severe threat to FortiWeb installations worldwide.
- Threat intelligence reports from watchTowr have highlighted the critical threat posed by CVE-2025-25257, a vulnerability in Fortinet's FortiWeb Fabric Connector, given its high CVSS score and potential for remote code execution, data theft, privilege escalation, and system compromise.
- The vulnerability, which allows unauthenticated attackers to execute arbitrary SQL commands, has been added to the catalog of known exploited vulnerabilities by the Cybersecurity and Infrastructure Security Agency (CISA).
- In the general-news realm, there has been a focus on the potential impact of this vulnerability on data-and-cloud-computing systems, especially FortiWeb and associated Fortinet products like FortiGate and FortiSandbox.
- The cybersecurity community is urging immediate patching to prevent compromise, as this vulnerability, if left unpatched, could lead to significant disruption and potential criminal activity, given the ease with which attackers can bypass WAF protections, deploy webshells, and manipulate sensitive data or configurations.
- Crime-and-justice experts are closely monitoring the active exploitation of this vulnerability, with the Shadowserver Foundation reporting 85 compromised instances on Monday and 77 on Tuesday, underscoring the need for infosec professionals to stay vigilant in the face of such threats.
