Cyber threats loom over crucial Fortinet software, advise experts
A critical SQL injection vulnerability (CVE-2025-25257) has been discovered in Fortinet's FortiWeb Fabric Connector, allowing unauthenticated attackers to execute unauthorized SQL code or commands. This vulnerability has been actively exploited since at least July 11, 2025, with dozens of Fortinet FortiWeb instances compromised worldwide.
The vulnerability, with a critical CVSS score of 9.6, allows attackers to inject SQL commands and execute arbitrary code remotely via crafted HTTP/HTTPS requests without needing prior access [1][2][4]. The rapid increase and then decrease in detected compromises indicate active exploitation by multiple threat actors, who quickly move to leverage or abandon targets based on opportunity or defensive measures [1].
Attackers exploit the flaw by injecting SQL into a vulnerable API endpoint that then allows arbitrary file writes, including overwriting Python files for remote code execution. This suggests advanced threat actors could escalate privileges on compromised systems and maintain persistence [2][4].
While specific threat actor groups are not explicitly named in the sources, the described activity—fast, automated scans and exploitation of publicly exposed vulnerable Fortinet devices—aligns with financially motivated cybercriminals, ransomware groups, or botnet operators seeking entry points in enterprise networks [1][4].
The vulnerability in FortiWeb Fabric Connector is considered a very important program due to its role in enabling connectivity between Fortinet products [6]. FortiWeb Fabric Connector serves as an interface between the FortiWeb firewall and other Fortinet products, providing essential functions like SSO integration and dynamic policy enforcement [5].
Fortinet has confirmed the exploitation of the vulnerability in an update to its security guidance [3]. Researchers at watchTowr published extensive research on the vulnerability last week [4]. The number of compromised instances decreased from 85 on Monday and 77 on Tuesday, with Shadowserver Foundation detecting approximately 49 Fortinet FortiWeb instances that have been compromised as of Thursday [7].
The vulnerability has been added to the catalog of known exploited vulnerabilities by the Cybersecurity and Infrastructure Security Agency [8]. Fortinet has credited a company called GMO Cybersecurity with reporting the flaw to them [9].
Mitigation urgency and advisories from CISA and national CERTs further confirm the exploitation by multiple malicious actors aiming to cause harm by data theft, disruption, or wider network compromise [2][4]. It remains unclear which threat actors are targeting FortiWeb or what their motivations are [1].
[1] https://www.bleepingcomputer.com/news/security/fortinet-fortiweb-sql-injection-vulnerability-exploited-in-the-wild/ [2] https://www.cisa.gov/uscert/ncas/alerts/aa25-309a [3] https://www.fortinet.com/content/dam/webroot/en/product-and-solution-documentation/fortiweb/product-bulletins/fortiweb-security-bulletin-0055-2025-sql-injection-vulnerability-in-fortinet-fortiweb-fabric-connector.pdf [4] https://www.securityweek.com/researchers-discover-critical-sql-injection-vulnerability-affecting-fortinet-fortiweb [5] https://www.bleepingcomputer.com/news/security/fortinet-fortiweb-sql-injection-vulnerability-exploited-in-the-wild/ [6] https://www.fortinet.com/content/dam/webroot/en/product-and-solution-documentation/fortiweb/product-bulletins/fortiweb-security-bulletin-0055-2025-sql-injection-vulnerability-in-fortinet-fortiweb-fabric-connector.pdf [7] https://www.bleepingcomputer.com/news/security/fortinet-fortiweb-sql-injection-vulnerability-exploited-in-the-wild/ [8] https://www.cisa.gov/uscert/ncas/alerts/aa25-309a [9] https://www.fortinet.com/content/dam/webroot/en/product-and-solution-documentation/fortiweb/product-bulletins/fortiweb-security-bulletin-0055-2025-sql-injection-vulnerability-in-fortinet-fortiweb-fabric-connector.pdf
- The threat intelligence community is actively monitoring the exploitation of the critical SQL injection vulnerability (CVE-2025-25257) in Fortinet's FortiWeb Fabric Connector, as this vulnerability has been used by unauthenticated attackers to execute unauthorized SQL commands since at least July 11, 2025.
- The discovery of this vulnerability, with a CVSS score of 9.6, highlights the importance of keeping up-to-date with threat intelligence and the need for robust cybersecurity measures, particularly when dealing with products like firewalls and APIs.
- Infosec professionals should be aware that financially motivated cybercriminals, ransomware groups, or botnet operators may be targeting FortiWeb firewalls due to the recent SQL injection vulnerability.
- In the wake of this vulnerability, privacy and security within the finance sector could be at risk, as compromised FortiWeb instances could potentially serve as entry points for malicious actors aiming for data theft or disruption.
