BleepingComputer reports that threat actors have compromised numerous Fortinet FortiWeb instances with web shells via attacks suspected to have involved publicly available exploits for the critical pre-authenticated RCE via SQL injection flaw, tracked as CVE-2025-25257.
The U.S. accounted for most of the infected Fortinet FortiWeb endpoints, followed by the Netherlands, Singapore, and the UK, according to The Shadowserver Foundation, which also noted the presence of over 200 internet-exposed FortiWeb firewalls. Such findings which come days after cybersecurity firm watchTowr disclosed exploits for the vulnerability that could allow web shell injection should prompt immediate upgrades to newer FortiWeb versions remediating the issue, which were released by Fortinet last week. "An improper neutralization of special elements used in an SQL command ('SQL Injection') vulnerability in FortiWeb may allow an unauthenticated attacker to execute unauthorized SQL code or commands via crafted HTTP or HTTPs requests," said Fortinet, which recommended the deactivation of the HTTP/HTTPs admin interface for those that cannot promptly apply the fixes.
The U.S. accounted for most of the infected Fortinet FortiWeb endpoints, followed by the Netherlands, Singapore, and the UK, according to The Shadowserver Foundation, which also noted the presence of over 200 internet-exposed FortiWeb firewalls. Such findings which come days after cybersecurity firm watchTowr disclosed exploits for the vulnerability that could allow web shell injection should prompt immediate upgrades to newer FortiWeb versions remediating the issue, which were released by Fortinet last week. "An improper neutralization of special elements used in an SQL command ('SQL Injection') vulnerability in FortiWeb may allow an unauthenticated attacker to execute unauthorized SQL code or commands via crafted HTTP or HTTPs requests," said Fortinet, which recommended the deactivation of the HTTP/HTTPs admin interface for those that cannot promptly apply the fixes.
