Hackers are actively exploiting a serious flaw in Fortinet’s FortiWeb Fabric Connector, a tool that helps Fortinet products work together to improve network security.

The flaw, tracked as CVE-2025-25257, allows attackers to send specially crafted web requests that trick the system into running unauthorized SQL commands. In some cases, this can even lead to full remote control of the device.

The vulnerability affects FortiWeb versions 7.0 through 7.6, unless they’ve been updated to the fixed versions released earlier this month. Fortinet confirmed the issue and credited the discovery to GMO Cybersecurity. The flaw exists in a part of the system that doesn’t properly filter special characters, making it possible for attackers to inject harmful commands.

Security researchers say the flaw is already being used in the wild. The Shadowserver Foundation reported 85 FortiWeb devices had been compromised on Monday. That number dropped to 77 by Tuesday and 49 by Thursday, suggesting that some organizations are patching, but others may still be exposed. The first signs of active exploitation appeared on July 11.

Ryan Dewhurst, head of proactive threat intelligence at watchTowr, emphasized the urgency: “This is a critical unauthenticated SQL injection vulnerability that must either be patched immediately or mitigated by fully disabling the affected web interface. The surge in compromised devices reflects how quickly threat actors are now operating, far faster than they have in the past.”

Researchers from watchTowr published detailed findings last week, explaining how attackers can use the flaw to upload malicious code and trigger it to run with root-level access. The FortiWeb Fabric Connector’s role in sharing security data between systems makes it an especially attractive target. It supports features like single sign-on and dynamic policy enforcement.

Patrick Garrity, a security researcher at VulnCheck, added, “Fortinet may not have been aware of exploitation prior to the disclosure and now that signatures and detections for the vulnerability have been written, other organizations are detecting exploitation of the vulnerability.”

Security experts strongly recommend that all users of FortiWeb firewalls patch the affected systems right away. If immediate patching isn’t possible, the next best step is to disable the web interface entirely until the issue can be fixed.