The cybersecurity landscape faces another critical threat as dozens of Fortinet FortiWeb instances have been compromised with webshells in a widespread hacking campaign.
The Shadowserver Foundation has identified 77 compromised FortiWeb instances, marking a significant security incident that directly followed the public release of proof-of-concept exploits for a critical vulnerability tracked as CVE-2025-25257.
This development highlights the dangerous timeline between vulnerability disclosure and active exploitation, demonstrating how quickly threat actors can weaponize publicly available exploit code to compromise enterprise security infrastructure.
The vulnerability at the center of these attacks, CVE-2025-25257, represents a critical pre-authenticated SQL injection vulnerability in the FortiWeb graphical user interface with a CVSS severity score of 9.6 out of 10.
This critical rating reflects the vulnerability’s potential for severe impact, as it allows unauthenticated attackers to execute unauthorized code or commands remotely by sending specially crafted HTTP requests.
The vulnerability was discovered by security researcher Kentaro Kawane of GMO Cybersecurity and resides specifically in the FortiWeb Fabric Connector, a component designed to integrate the Web Application Firewall with other Fortinet security products.
However, the situation escalated dramatically on July 11 when cybersecurity firm WatchTowr and one of the vulnerability co-discoverers published proof-of-concept exploits.
These public exploits demonstrated precisely how attackers could leverage SQL injection techniques to plant webshells or establish reverse shells on vulnerable devices, effectively granting them persistent access and control over compromised systems.
The three-day window between disclosure and public exploit availability created a critical vulnerability window that threat actors have now exploited.
The Shadowserver Foundation’s monitoring efforts revealed that active exploitation of the vulnerability began on July 11, 2025, coinciding exactly with the public release of exploit code.
Their Tuesday report documented 77 compromised FortiWeb instances, representing a slight decrease from 85 identified the previous day.
This decline may indicate either successful remediation efforts or the natural fluctuation of compromised systems as some are taken offline or patched.
The geographic distribution of compromised systems reveals a global impact, with the United States bearing the highest burden at 40 compromised devices, followed by the Netherlands, Singapore, and the United Kingdom.
Beyond the confirmed compromised systems, an additional 223 FortiWeb management interfaces remained exposed to the internet as of July 15, with their patch status unconfirmed.
These exposed systems are considered highly likely to be compromised if they have not been updated, significantly expanding the potential scope of the security incident.
Fortinet initially disclosed the vulnerability on July 8, 2025, and promptly released patches to address the security vulnerability .
Fortinet has responded to the active exploitation by urging customers to immediately upgrade to secure versions, including FortiWeb 7.6.4, 7.4.8, 7.2.11, or 7.0.11 and later releases.
These updated versions contain the necessary security patches to address the SQL injection vulnerability and prevent further exploitation.
The company’s rapid response underscores the critical nature of this vulnerability and the immediate threat it poses to organizations running unpatched FortiWeb appliances.
For organizations unable to apply patches immediately, Fortinet recommends implementing a temporary workaround by disabling the HTTP/HTTPS administrative interface.
This measure effectively blocks the primary attack vector while organizations prepare for full patching.
The current situation serves as a stark reminder of the importance of rapid patch deployment and the risks associated with publicly available exploit code targeting critical infrastructure components.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.
PortSwigger has leveled up Burp Suite's scanning arsenal with the latest Active Scan++ extension, version…
Unit 42 researchers at Palo Alto Networks exposed serious flaws in the Model Context Protocol…
Polish police have arrested three Ukrainian men traveling through Europe and seized a cache of…
Google has launched its most significant Chrome update ever, embedding Gemini AI across the browser…
Attackers exploit this vulnerability through the router's web interface components, specifically "cgibin" and "hnap_main," by…
Security researchers have uncovered a severe flaw in Apache Tika, a popular open-source toolkit for…