Hackers are actively exploiting a critical flaw in Fortinet’s FortiWeb Fabric Connector, according to cybersecurity experts.
The vulnerability, tracked as CVE-2025-25257, involves an improper neutralization of special elements used in an SQL command. Successful exploitation of the vulnerability can allow an attacker to execute unauthorized SQL code or commands via crafted HTTP or HTTPS requests, according to a Fortinet advisory.
FortiWeb Fabric Connector serves as an interface between the FortiWeb firewall and other Fortinet products, feeding information from those other products into FortiWeb to support its dynamic security protections.
Shadowserver Foundation said that it had detected approximately 49 Fortinet FortiWeb instances that have been compromised as of Thursday. That figure represented a decrease from the 85 compromised instances that the group detected on Monday and the 77 instances detected on Tuesday. Shadowserver said it has seen active exploitation since July 11.
“The advisory published by Fortinet is clear about the severity of the risk: This is a critical unauthenticated SQL injection vulnerability that must either be patched immediately or mitigated by fully disabling the affected web interface,” Ryan Dewhurst, head of proactive threat intelligence at watchTowr, told Cybersecurity Dive. “The surge in compromised devices reflects how quickly threat actors are now operating, far faster than they have in the past.”
Researchers at watchTowr published extensive research on the vulnerability last week. Fortinet credited a company called GMO Cybersecurity with reporting the flaw to it.
It remains unclear which threat actors are targeting FortiWeb or what their motivations are.
Because of its role in enabling connectivity between Fortinet products, FortiWeb Fabric Connector is considered a very important program. Dewhurst said the connector enables important functions like SSO integration and dynamic policy enforcement.
“Fortinet may not have been aware of exploitation prior to the disclosure and now that signatures and detections for the vulnerability have been written, other organizations are detecting exploitation of the vulnerability,” Patrick Garrity, security researcher at VulnCheck, told Cybersecurity Dive.