Fortinet FortiWeb Hacks Tied to Public RCE Exploits
▼ Summary
– Multiple Fortinet FortiWeb instances were recently infected using public exploits for a critical RCE flaw (CVE-2025-25257), as reported by The Shadowserver Foundation.
– The flaw affects FortiWeb versions 7.6.0-7.6.3, 7.4.0-7.4.7, and 7.0.0-7.0.10, allowing unauthenticated attackers to execute SQL commands via crafted HTTP requests.
– Fortinet released patches on July 8, 2025, urging users to upgrade to secure versions (e.g., FortiWeb 7.6.4, 7.4.8) after exploits were made public on July 11.
– The attack involves SQL injection via HTTP Authorization headers, writing a malicious .pth file, and executing code via a legitimate FortiWeb script (/cgi-bin/ml-draw.py).
– Most compromised endpoints (40) were in the U.S., and administrators are advised to patch immediately or disable the HTTP/HTTS administrative interface if patching isn’t feasible.
Security teams are scrambling after reports confirmed active exploitation of a critical Fortinet FortiWeb vulnerability, with attackers deploying web shells using publicly available exploits. The attacks target unpatched systems vulnerable to CVE-2025-25257, a severe SQL injection flaw allowing remote code execution without authentication.
Threat analysts at The Shadowserver Foundation detected 85 compromised FortiWeb instances on July 14, followed by 77 additional infections the next day. The attacks leverage exploits released publicly on July 11, shortly after Fortinet issued patches on July 8. The vulnerability affects multiple versions of FortiWeb, including 7.6.0 through 7.6.3, 7.4.0 through 7.4.7, and 7.0.0 through 7.0.10.
Fortinet’s advisory warned that crafted HTTP or HTTPS requests could trigger unauthorized SQL command execution, enabling attackers to take full control of vulnerable devices. Researchers from WatchTowr and independent security researcher “faulty *ptrrr” published proof-of-concept exploits demonstrating how attackers could deploy web shells or establish reverse shells on unpatched systems.
The exploit chain involves SQL injection through manipulated Authorization headers sent to the `/api/fabric/device/status` endpoint. Successful exploitation writes a malicious `.pth` file into Python’s `site-packages` directory. Attackers then trigger execution by accessing `/cgi-bin/ml-draw.py`, a legitimate FortiWeb script that inadvertently runs the planted malicious code.
While initial reports suggested no widespread exploitation, Shadowserver’s findings confirm active attacks in the wild. As of yesterday, 223 FortiWeb management interfaces remained exposed online, though exact version details remain unclear. The majority of compromised systems were in the U.S. (40), followed by the Netherlands (5), Singapore (4), and the U.K. (4).
FortiWeb, a widely used web application firewall (WAF), protects enterprises, government networks, and managed security providers from malicious web traffic. Given the severity of the flaw, organizations still running vulnerable versions should prioritize upgrading to FortiWeb 7.6.4, 7.4.8, 7.2.11, or 7.0.11 immediately. If patching isn’t feasible, administrators should disable the HTTP/HTTPS administrative interface to block access to the vulnerable endpoint.
The rapid weaponization of this vulnerability underscores the importance of timely patch deployment, especially for internet-facing security appliances. With exploits now publicly available, delays in mitigation could leave organizations exposed to further attacks.
(Source: Bleeping Computer)
