A critical SQL injection flaw in Fortinet’s FortiWeb is under active attack. Learn about the vulnerability, CVE-2025-25257, and how to patch your systems immediately.
According to cybersecurity experts, hackers are actively exploiting a critical flaw in Fortinet’s FortiWeb Fabric Connector.
The vulnerability, tracked as CVE-2025-25257, involves an improper neutralization of special elements used in an SQL command. Successful exploitation of the vulnerability can allow an attacker to execute unauthorized SQL code or commands via crafted HTTP or HTTPS requests, according to a Fortinet advisory.
FortiWeb Fabric Connector serves as an interface between the FortiWeb firewall and other Fortinet products, feeding information from those other products into FortiWeb to support its dynamic security protections.
Shadowserver Foundation said that as of Thursday, it had detected approximately 49 compromised Fortinet FortiWeb instances. That figure represented a decrease from the 85 compromised instances that the group detected on Monday and the 77 instances detected on Tuesday. Shadowserver said it has seen active exploitation since July 11.
“The advisory published by Fortinet is clear about the severity of the risk: This is a critical unauthenticated SQL injection vulnerability that must either be patched immediately or mitigated by fully disabling the affected web interface,” said Ryan Dewhurst, head of proactive threat intelligence at watchTowr. “The surge in compromised devices reflects how quickly threat actors are now operating, far faster than they have in the past.”
Researchers at watchTowr published extensive research on the vulnerability last week. Fortinet credited a company called GMO Cybersecurity with reporting the flaw to it.
It remains unclear which threat actors are targeting FortiWeb or what their motivations are.
Because it enables connectivity between Fortinet products, FortiWeb Fabric Connector is considered a very important program. Dewhurst said the connector enables important functions like SSO integration and dynamic policy enforcement.
“Fortinet may not have been aware of exploitation prior to the disclosure and now that signatures and detections for the vulnerability have been written, other organizations are detecting exploitation of the vulnerability,” said Patrick Garrity, security researcher at VulnCheck.
On Friday, the Cybersecurity and Infrastructure Security Agency said it added the flaw to its catalog of known exploited vulnerabilities. Fortinet also confirmed exploitation in an update to its security guidance.
