FortiWeb SQL Injection (CVE-2025-25257) Added to CISA KEV After Active Exploitation, PoC Available!
Ddos 
A critical SQL injection vulnerability in Fortinet FortiWeb, tracked as CVE-2025-25257, has been added to the CISA Known Exploited Vulnerabilities (KEV) Catalog following confirmation of active exploitation in the wild. With a CVSS score of 9.6, this vulnerability poses an urgent threat to web application infrastructure worldwide.
CVE-2025-25257 is an unauthenticated SQL injection vulnerability affecting FortiWeb, Fortinetβs web application firewall (WAF), which is designed to protect against malicious HTTP traffic.
βAn improper neutralization of special elements used in an SQL command (‘SQL Injection’) vulnerability [CWE-89] in FortiWeb may allow an unauthenticated attacker to execute unauthorized SQL code or commands via crafted HTTP or HTTPS requests,β Fortinetβs advisory warns.
This flaw allows attackers to execute arbitrary SQL commands, and researchers have already developed proof-of-concept (PoC) exploits [1,2] that enable remote code execution (RCE), including reverse shells and web shells.
On July 18, Fortinet confirmed that the vulnerability is being exploited in the wild. Multiple FortiWeb instances have reportedly been infected with web shells, likely as a direct result of public exploits targeting this flaw.
βFortinet has observed this to be exploited in the wild on FortiWeb,β the vendor acknowledged.
The Shadowserver Foundation has tracked dozens of infections, reporting 85 compromised systems on July 14 and 77 more the following day.
Fortinet issued patches on July 8, 2025, in the following fixed versions:
- FortiWeb 7.6.4
- FortiWeb 7.4.8
- FortiWeb 7.2.11
- FortiWeb 7.0.11
Users of older versions should immediately upgrade to the corresponding fixed release. In addition, Federal Civilian Executive Branch (FCEB) agencies in the United States are required to remediate the flaw by August 8, 2025, per CISA directive.
Related Posts:
- Fortinet Fixes Critical SQL Injection Flaw in FortiWeb (CVE-2025-25257, CVSS 9.6)
- CVE-2025-25257 (CVSS 9.6): Pre-Auth SQLi in Fortinet FortiWeb Opens Door to RCE, PoC Published
- Fortinet patches critical CVE-2022-39952 & CVE-2021-42756 bugs in its products
- CISA Adds 12 New Known Actively Exploited Vulnerabilities to its Catalog
- CVE-2024-5522 (CVSS 10): Critical Security Flaw Threatens Thousands of WordPress Sites
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
