CISA Flags Fortinet Flaw as Hackers Target Firewalls

The U.S. Cybersecurity and Infrastructure Security Agency added a critical Fortinet FortiWeb vulnerability to its Known Exploited Vulnerabilities catalog, warning of widespread exploitation. CISA Flags Fortinet Flaw CVE-2025-25257, a SQL injection bug rated 9.6 out of 10 on the CVSS scale, which allows unauthenticated attackers to execute malicious SQL commands via crafted HTTP or HTTPS requests.

The flaw resides in FortiWeb’s Fabric Connector, which links the firewall to other Fortinet tools. CISA Flags Fortinet Flaw as threat actors exploit it through the /api/fabric/device/status endpoint using crafted Authorization headers. The Shadowserver Foundation reported 77 compromised FortiWeb devices on July 15, down from 85 the previous day. Attackers use webshells to maintain persistent access, with the U.S. seeing the most infections.

Fortinet issued patches on July 8. CISA urges swift remediation. Read the full report for patch details and mitigation steps:

CISA Warns of Fortinet FortiWeb SQL Injection Vulnerability Exploited in Attacks