Ongoing attacks involving the critical Fortinet FortiWeb SQL injection flaw, tracked as CVE-2025-25257, have prompted the security issue's inclusion in the Cybersecurity and Infrastructure Security Agency's Known Exploited Vulnerabilities catalog, with federal agencies urged to remediate the defect by August 8, according to Security Affairs.
Threat actors were noted to have commenced intrusions leveraging CVE-2025-25257 on July 11, or a day following the release of its proof-of-concept exploit, which could be used to facilitate unauthorized SQL command execution through crafted HTTP/HTTPS requests. Such a development comes as vulnerable FortiWeb instances impacted by web shells through CVE-2025-25257 exploitation were reported by The Shadowserver Foundation to have significantly declined between July 11 and 18. Another analysis by Censys revealed over 20,000 internet-exposed FortiWeb appliances but the number of impacted instances remains unclear. "A large number of hosts returned error codes (500/503), possibly due to filtering, but this does not guarantee they are fully protected. Note that we cannot identify version information for any of these hosts, so inferring vulnerability status is not possible," said Censys.
Threat actors were noted to have commenced intrusions leveraging CVE-2025-25257 on July 11, or a day following the release of its proof-of-concept exploit, which could be used to facilitate unauthorized SQL command execution through crafted HTTP/HTTPS requests. Such a development comes as vulnerable FortiWeb instances impacted by web shells through CVE-2025-25257 exploitation were reported by The Shadowserver Foundation to have significantly declined between July 11 and 18. Another analysis by Censys revealed over 20,000 internet-exposed FortiWeb appliances but the number of impacted instances remains unclear. "A large number of hosts returned error codes (500/503), possibly due to filtering, but this does not guarantee they are fully protected. Note that we cannot identify version information for any of these hosts, so inferring vulnerability status is not possible," said Censys.
