Hackers Strike Fast: Fortinet FortiWeb Flaw Exploited Within Hours!
Hackers wasted no time exploiting Fortinet FortiWeb flaw CVE-2025-25257, striking hours after a proof-of-concept was released. This SQL injection vulnerability left systems more open than a 24-hour diner, prompting administrators to patch faster than a caffeine-fueled coder.
Hot Take:
Looks like Fortinet just got an unexpected SQL surprise party invitation, and everyone crashed it before they could say ‘patch’! Hackers sure know how to RSVP to a PoC faster than Fortinet can say “vulnerability management”.
Key Points:
- Hackers exploited Fortinet FortiWeb flaw CVE-2025-25257 on the same day a PoC was released.
- The flaw is a SQL injection vulnerability, allowing unauthorized SQL command execution.
- Fortinet released security patches in multiple versions to address the issue.
- Researchers demonstrated remote code execution using Python script manipulation.
- Shadowserver reported a drop in compromised FortiWeb instances from 85 to 35.
SQL Injection: The Unwanted Guest
Picture this: Fortinet’s FortiWeb is just chilling, minding its own business, when suddenly it’s hit by a SQL injection vulnerability, CVE-2025-25257, with a CVSS score of 9.6. Talk about unexpected guests! This flaw allowed hackers to crash the party, executing unauthorized SQL commands via specially crafted HTTP/HTTPS requests. The PoC exploit was released on July 11, and hackers wasted no time in RSVP-ing with a resounding “yes,” compromising dozens of systems in the process. It’s like hackers have a sixth sense for vulnerability announcements!
Patches: A Race Against Time
In response to this party crasher, Fortinet quickly released security patches in versions 7.6.4, 7.4.8, 7.2.11, and 7.0.11. You know what they say: better patch late than never. The vulnerability was initially reported by Kentaro Kawane from GMO Cybersecurity under responsible disclosure. Just think of it as Fortinet’s way of saying, “Oops, our bad, here’s a fix!” Researchers at WatchTowr decided to conduct a binary diffing comparison to spot the differences between versions, revealing the security patch that Fortinet had slipped in. Sherlock Holmes would be proud of their detective work!
Pythons and .pth Files: A Hacker’s Best Friends
Once the SQL injection vulnerability was discovered, researchers went full MacGyver, exploring ways to escalate it to remote code execution. They tried dropping a web shell into a CGI-enabled directory, but alas, it wasn’t executable. Talk about a bummer! Undeterred, they turned to a Python script (ml-draw.py) in the CGI directory, executed by Apache via /bin/python. By leveraging .pth files, they managed to execute arbitrary code when the CGI script was triggered, effectively turning a misconfiguration into an opportunity. It’s like using a Swiss Army knife to solve your IT problems!
Detection and Tracking: The Cat-and-Mouse Game
With the PoC exploit code making its rounds, Shadowserver researchers observed the number of hacked FortiWeb instances drop from 85 to 35 by July 18. The first exploitation attempts were recorded on July 11, right after the PoC was released. Meanwhile, Censys found over 20,000 Fortinet FortiWeb devices online, though many weren’t directly exposed. It’s like a game of cat-and-mouse, with the hackers trying to outsmart the defenders at every turn.
Patch Now or Regret Later
The moral of the story? Administrators are strongly advised to apply those security patches immediately, given the availability of public exploits. It’s like Fortinet’s version of “The Purge,” where hackers are free to wreak havoc on vulnerable systems if left unpatched. So, if you’re in charge of a Fortinet FortiWeb device, don’t procrastinate—patch it up before the hackers RSVP again!
As always, for more cybersecurity shenanigans, follow Pierluigi Paganini on Twitter, Facebook, and Mastodon. And remember, in the world of cybersecurity, it’s patch or be patched… by hackers!