New Fortinet FortiWeb hacks likely linked to public RCE exploits www.bleepingcomputer.com/news/secu…

Multiple Fortinet FortiWeb instances recently infected with web shells are believed to have been compromised using public exploits for a recently patched remote code execution (RCE) flaw tracked as CVE-2025-25257.

News of the exploitation activity comes from threat monitoring platform The Shadowserver Foundation, which observed 85 infections on July 14 and 77 on the next day.

The researchers reported that these Fortinet FortiWeb instances are believed to be compromised through the CVE-2025-25257 flaw.

On July 11, exploits were made public by cybersecurity firm WatchTowr, and a co-discoverer of the flaw, “faulty *ptrrr.” These exploits demonstrated methods for planting webshells or opening reverse shells on unpatched endpoints.