New Fortinet FortiWeb hacks likely linked to public RCE exploits CVSS : 9.6 - 9.8 Critical
New Fortinet FortiWeb hacks likely linked to public RCE exploits CVSS : 9.6 - 9.8 Critical
New Fortinet FortiWeb hacks likely linked to public RCE exploits
CVSS : 9.6 - 9.8 Critical
Information
Fortinet is a cybersecurity company that develops a wide range of solutions, including FortiWeb, a Web Application Firewall (WAF) product designed to protect web applications and APIs from various web security threats such as SQL injection, cross-site scripting (XSS), data breaches, and API-based attacks. FortiWeb is also part of the Fortinet Security Fabric, an integrated security system that connects all Fortinet products together, such as FortiSandbox, FortiGate, and FortiAnalyzer.
Incident
On July 11 2025, researchers from cybersecurity company watchTowr discovered that Fortinet FortiWeb systems had been compromised with web shells installed by hackers. The attack is believed to have exploited a recently patched Remote Code Execution (RCE) vulnerability, CVE-2025-25257, a critical SQL Injection (SQLi) flaw that can be exploited without authentication.This vulnerability affectsFortiWeb versions 7.6.0 to 7.6.3, 7.4.0 to 7.4.7, and 7.0.0 to 7.0.10. On July 14 2025, threat monitoring platform The Shadowserver Foundation reported tracking activity related to this threat, revealing that 85 devices had been compromised, with 77 more the following day. As of July 18 2025, it was found that 223 FortiWeb management interfaces were still exposed to the internet.
Remediation Steps
- It is recommended to upgrade to FortiWeb 7.6.4
- It is recommended to upgrade to FortiWeb 7.4.8
- It is recommended to upgrade to FortiWeb 7.2.11
- It is recommended to upgrade to FortiWeb 7.0.11
If upgrading the software immediately is not possible, you should:
- Disable access to the HTTP/HTTPS management interface
The important things is Security systems. We must concern and monitor as usual.
For more information please contact
Email :sales@inetms.co.th
065 149 2822 (Ms.Suphatson )
063 204 4534 (Ms.Atsamaphorn)
065 929 6330 (Ms.Kansinee)
0613879439 (Ms.Sirilak)
0922576902 (Ms.Narusorn)
Reference
- https://nvd.nist.gov/vuln/detail/CVE-2025-25257
Weekly Interesting CVE
| NO. |
CVE Name |
Published Date |
Last Update |
Device/Appplication/OS Target |
Attack Type |
CVSS |
Detail |
Solution |
Reference |
|---|---|---|---|---|---|---|---|---|---|
| 1 |
CVE-2025-49463 |
09/07/2025 |
10/07/2025 |
Zoom Clients for iOS before version 6.4.5 |
Control Flow Bypass Attack |
6.5 |
Insufficient control flow management in certain Zoom Clients for iOS before version 6.4.5 may allow an unauthenticated user to conduct a disclosure of information via network access. |
Upgrade to ver. 6.4.5 |
|
| 2 |
CVE-2025-52521 |
10/07/2025 |
10/07/2025 |
Trend Micro Security 17.8 |
Privilege Escalation |
7.8 |
Trend Micro Security 17.8 (Consumer) is vulnerable to a link following local privilege escalation vulnerability that could allow a local attacker to unintentionally delete privileged Trend Micro files including its own. |
Upgrade to ver. 17.8.1476 |
|
| 3 |
CVE-2025-7096 |
06/07/2025 |
08/07/2025 |
Comodo Internet Security Premium 12.3.4.8162. |
Remote Attack |
8.2 |
A vulnerability classified as critical was found in Comodo Internet Security Premium 12.3.4.8162. This vulnerability affects unknown code of the file cis_update_x64.xml of the component Manifest File Handler. The manipulation leads to improper validation of integrity check value. The attack can be initiated remotely. The complexity of an attack is rather high. The exploitation appears to be difficult. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. |
No mitigation known. |
https://nvd.nist.gov/vuln/detail/CVE-2025-7096
|
| 4 |
CVE-2025-25257 |
08/07/2025 |
08/07/2025 |
FortiWeb 7.6 versions 7.6.0 through 7.6.3 |
SQL Injection |
8.9 |
An improper neutralization of special elements used in an SQL command ('SQL Injection') vulnerability [CWE-89] in FortiWeb may allow an unauthenticated attacker to execute unauthorized SQL code or commands via crafted HTTP or HTTPs requests. |
Upgrade to ver. 7.6.4 |
https://fortiguard.fortinet.com/psirt/FG-IR-25-151?ref=labs.watchtowr.com |
| 5 |
CVE-2024-38648 |
12/07/2025 |
12/07/2025 |
Ivanti DSM before 2024.2 |
Authenticated Attacker |
9.0 |
A hardcoded secret in Ivanti DSM before 2024.2 allows an authenticated attacker on an adjacent network to decrypt sensitive data including user credentials. |
Upgrade to ver. 2024.2 |
https://nvd.nist.gov/vuln/detail/CVE-2024-38648 |
|
No |
Campaign Name |
Detection Date |
Attack Type |
Description |
Mitigation/Remediation |
|---|---|---|---|---|---|
| 1 |
Pay2Key Ransomware Gang Resurfaces With Incentives to Attack US, Israel |
12/07/2025 |
Ransomware |
The hacker group Pay2Key, which has been linked to Iran, has reemerged under a new name, Pay2Key.I2P, offering its services in a Ransomware-as-a-Service (RaaS) model. The group is now offering affiliates up to 80% revenue share to incentivize attacks specifically targeting the United States and Israel, which appear to be their primary focus. Experts believe this renewed activity is likely tied to Iranian intelligence operations, suggesting the group’s motives may be more political than financial. Pay2Key is also associated with Fox Kitten (UNC757) and was previously known for attacking technology and financial companies in Israel in 2020. Their methods involve advanced techniques such as payload encryption, disabling Microsoft Defender, and DLL injection, and they are now believed to be linked to Mimic ransomware as well. This incident highlights that state-backed ransomware threats remain a serious concern, and organizations must implement effective response measures — including proactive threat detection, strict access controls, and robust backup and recovery plans. |
|
05 August 2025
Viewed 114 time
