Ethical Hacking News
A critical vulnerability in Fortinet's web security solution has left many users vulnerable to attacks by malicious actors following hours after a proof-of-concept (PoC) exploit was published. The vulnerability, designated as CVE-2025-25257 and scored 9.6 on the Common Vulnerability Scoring System (CVSS), allows unauthenticated attackers to execute unauthorized SQL commands via crafted HTTP/HTTPS requests. This article provides an in-depth analysis of the Fortinet FortiWeb flaw and its implications for organizations that rely on this web security solution.
Fortinet FortiWeb, a popular web security solution, has been compromised by hackers due to a critical SQL injection vulnerability (CVE-2025-25257). The vulnerability allows unauthenticated attackers to execute unauthorized SQL commands via crafted HTTP/HTTPS requests. Hackers exploited this vulnerability on July 11, just hours after the proof-of-concept exploit was published. The vulnerability has resulted in dozens of compromised systems and over 20,000 exposed Fortinet FortiWeb devices online. Administrators are strongly advised to apply patches immediately due to the availability of public exploits.
Fortinet FortiWeb, a popular web security solution for protecting against cyber threats, has been compromised by hackers following hours after a proof-of-concept (PoC) exploit was published. The vulnerability, designated as CVE-2025-25257 and scored 9.6 on the Common Vulnerability Scoring System (CVSS), allows unauthenticated attackers to execute unauthorized SQL commands via crafted HTTP/HTTPS requests.
This critical flaw in Fortinet's web security solution has left many users vulnerable to attacks by malicious actors. According to a report by Pierluigi Paganini, the hackers exploited this vulnerability on July 11, just hours after the PoC exploit was published. The incident highlights the importance of timely patching and updating software to prevent such vulnerabilities from being exploited.
The FortiWeb flaw is classified as a SQL injection vulnerability, which is a type of attack that involves injecting malicious SQL code into a web application's database in order to extract or modify sensitive data. In this case, the vulnerability allows an attacker to execute unauthorized SQL commands via crafted HTTP/HTTPS requests, potentially leading to unauthorized access to sensitive data.
Kentaro Kawane from GMO Cybersecurity reported this vulnerability under responsible disclosure. WatchTowr researchers conducted a binary diffing comparison of Fortinet's httpsd service between versions 7.6.3 and 7.6.4, which revealed the specific changes introduced in the new version to address the issue. However, it was discovered that due to misconfiguration, files could be written as root, enabling more impactful exploits.
The researchers then explored how to escalate the vulnerability to remote code execution. They used MySQL's INTO OUTFILE statement, which allows writing arbitrary files to the server's filesystem, typically with limited mysql user privileges. However, they found a way to bypass file size limits and path constraints using a relative file path and extracting payload chunks from the database itself.
Ultimately, the researchers successfully executed code by crafting and placing a .pth file that ran their desired Python code when the CGI script was triggered. This demonstrated the potential for exploitation of this critical vulnerability in Fortinet's web security solution.
The exploit activity observed since July 11th has resulted in dozens of compromised systems. According to Shadowserver, 85 FortiWeb hacks dropped to 35 by July 18. Censys found over 20,000 Fortinet FortiWeb devices online, although many weren't clearly exposed due to limited information and filtering.
Administrators are strongly advised to apply patches immediately due to the availability of public exploits. The Fortinet security team has released security patches in versions 7.6.4, 7.4.8, 7.2.11, and 7.0.11 to address this vulnerability.
In conclusion, the Fortinet FortiWeb flaw CVE-2025-25257 highlights the importance of timely patching and updating software to prevent such vulnerabilities from being exploited. The fact that hackers were able to exploit this vulnerability hours after its public disclosure emphasizes the need for organizations to prioritize their security posture and apply patches promptly.
Related Information:
https://www.ethicalhackingnews.com/articles/The-Fortinet-FortiWeb-Flaw-A-Critical-Vulnerability-Exploited-Hours-After-Public-Disclosure-ehn.shtml
https://securityaffairs.com/180118/hacking/fortinet-fortiweb-flaw-cve-2025-25257-exploited-hours-after-poc-release.html
Published: Sat Jul 19 12:31:17 2025 by llama3.2 3B Q4_K_M
