Thousands of Fortinet devices hacked using a novel attack technique
In a concerning development for organizations using Fortinet FortiWeb devices, a critical vulnerability (CVE-2025-25257) has been exploited, enabling remote code execution (RCE) and resulting in widespread compromises worldwide. The flaw, which is a pre-authenticated SQL injection, has allowed attackers to plant web shells and establish symlink-based persistence mechanisms on compromised devices.
The exploitation activity began in early July 2025 and peaked at around 85 compromised FortiWeb instances before decreasing to about 35-49 as of mid-July, according to threat intelligence reports and data from the Shadowserver Foundation. FortiWeb devices exposed to the internet are the main targets, with over 20,000 internet-accessible FortiWeb appliances identified, though not all are vulnerable or directly exposed.
The compromise on FortiWeb devices may have granted the actor access to sensitive files, including credentials and key material. To make matters worse, symlink modifications have evaded Fortinet's detections and persisted after updates, providing attackers with a means to maintain footholds on compromised devices.
France's Computer Emergency Response Team (CERT-FR) has reported widespread attacks involving compromised devices in the country. CERT-FR and New Zealand's Computer Emergency Response Team (CERT-NZ) have both warned that the symlink mechanism may have given the threat actor access to highly sensitive data on Fortinet devices.
In response to the threat, Fortinet has communicated directly with affected customers and released updates and mitigations to detect, remove, and prevent the symlink from being redeployed. Organizations using FortiWeb devices are urged to urgently upgrade to the security patches addressing CVE-2025-25257 in versions 7.6.4, 7.4.8, 7.2.11, and 7.0.11. If immediate patching is not feasible, Fortinet advises disabling the affected FortiWeb Fabric Connector web interface to mitigate the risk of exploitation.
In addition to patching, organizations are advised to conduct comprehensive scans for web shells, symlink-based persistence, and other signs of compromise on FortiWeb instances and associated infrastructure. Removing unauthorized access artifacts and considering rebuilding compromised systems if persistent backdoors are found is also recommended.
To limit FortiWeb device exposure, organizations should restrict access to trusted networks and use firewalls, VPNs, or other secure access methods to reduce the attack surface. Enhanced monitoring for unusual FortiWeb behavior or network anomalies and subscribing to threat intelligence feeds, such as Shadowserver reports, for real-time updates on exploitation trends are also crucial.
Given FortiWeb’s role as an integrator in the Fortinet ecosystem, assessing security posture and patch levels across all connected Fortinet products to prevent lateral movement is essential. The countries with the most compromised devices are the U.S., Japan, Taiwan, and China. CERT-FR has learned of compromises occurring since early 2023.
In conclusion, the ongoing exploitation of CVE-2025-25257 in Fortinet FortiWeb poses a critical threat to organizations with exposed or unpatched devices. Immediate patching combined with rigorous detection and mitigation efforts is essential to prevent further compromise and remove established persistence mechanisms.
- In the face of this critical threat, it is essential for organizations using Fortinet FortiWeb devices to initiate incident response procedures, focusing on swiftly upgrading to the security patches addressing CVE-2025-25257, and conducting comprehensive scans to remove any signs of compromise.
- To enhance network security and limit the impact of the exploitation of CVE-2025-25257, organizations should implement cybersecurity measures, such as restricting access to trusted networks, using firewalls, VPNs, or other secure access methods, and employing enhanced monitoring and subscribing to threat intelligence feeds.
