Skip to main content
close search
site logo

Researchers warn of cyberattacks targeting key Fortinet software

Experts urged Fortinet customers to immediately apply patches or disable the affected administrative interface.

Published July 17, 2025
David Jones's headshot
Reporter
Ransomware Data Breach Protection Cyber Security Email Phishing Encrypted Technology, Digital Information Protected Secured
Just_Super via Getty Images

Hackers are actively exploiting a critical flaw in Fortinet’s FortiWeb Fabric Connector, according to cybersecurity experts.

The vulnerability, tracked as CVE-2025-25257, involves an improper neutralization of special elements used in an SQL command. Successful exploitation of the vulnerability can allow an attacker to execute unauthorized SQL code or commands via crafted HTTP or HTTPS requests, according to a Fortinet advisory.

FortiWeb Fabric Connector serves as an interface between the FortiWeb firewall and other Fortinet products, feeding information from those other products into FortiWeb to support its dynamic security protections.

Shadowserver Foundation said that it had detected approximately 49 Fortinet FortiWeb instances that have been compromised as of Thursday. That figure represented a decrease from the 85 compromised instances that the group detected on Monday and the 77 instances detected on Tuesday. Shadowserver said it has seen active exploitation since July 11. 

“The advisory published by Fortinet is clear about the severity of the risk: This is a critical unauthenticated SQL injection vulnerability that must either be patched immediately or mitigated by fully disabling the affected web interface,” Ryan Dewhurst, head of proactive threat intelligence at watchTowr, told Cybersecurity Dive. “The surge in compromised devices reflects how quickly threat actors are now operating, far faster than they have in the past.”

Researchers at watchTowr published extensive research on the vulnerability last week. Fortinet credited a company called GMO Cybersecurity with reporting the flaw to it.

It remains unclear which threat actors are targeting FortiWeb or what their motivations are. 

Because of its role in enabling connectivity between Fortinet products, FortiWeb Fabric Connector is considered a very important program. Dewhurst said the connector enables important functions like SSO integration and dynamic policy enforcement.

Fortinet may not have been aware of exploitation prior to the disclosure and now that signatures and detections for the vulnerability have been written, other organizations are detecting exploitation of the vulnerability,” Patrick Garrity, security researcher at VulnCheck, told Cybersecurity Dive.

Filed Under: Vulnerability

Editors' picks

Company Announcements

View all | Post a press release
Anne Arundel Dermatology Data Breach Investigation
From Migliaccio & Rathod LLP
July 17, 2025
Lab 1 unveils industry-first capability to safely preview exposed files from data breaches
From Lab 1
July 10, 2025
Lab 1 logo
Miggo Redefines Vulnerability Management with Launch of VulnDB
From McKinsey Next Trend Cyber News
July 15, 2025
Editors' picks
Latest in Vulnerability
Industry Dive is an Informa TechTarget business.
© 2025 TechTarget, Inc. or its subsidiaries. All rights reserved. | View our other publications | Privacy policy | Terms of use | Take down policy.
Cookie Preferences / Do Not Sell
This website is owned and operated by Informa TechTarget, part of a global network that informs, influences and connects the world's technology buyers and sellers. All copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. TechTarget, Inc.'s registered office is 275 Grove St. Newton, MA 02466.