Full Report
Multiple Fortinet FortiWeb instances recently infected with web shells are believed to have been compromised using public exploits for a recently patched remote code execution (RCE) flaw tracked as CVE-2025-25257. [...]
Analysis Summary
# Vulnerability: Fortinet FortiWeb Remote Code Execution via Python Library Manipulation
## CVE Details
- CVE ID: *Not explicitly stated in the provided text, but refers to recently exploited FortiWeb RCE vulnerabilities.*
- CVSS Score: *Not explicitly stated in the provided text.*
- CWE: *Not explicitly stated in the provided text.*
## Affected Systems
- Products: Fortinet FortiWeb (Web Application Firewall - WAF)
- Versions: *Specific vulnerable versions are not detailed, but all versions lacking the patch are vulnerable.*
- Configurations: Devices exposed to the network with the HTTP/HTTPS administrative interface enabled.
## Vulnerability Description
The vulnerability involves the manipulation of Python dependencies by writing a malicious file (a `.pth` file) into the Python 'site-packages' directory. When a legitimate FortiWeb CGI script, specifically `/cgi-bin/ml-draw.py`, is accessed remotely, it triggers the execution of code contained within the malicious `.pth` file, resulting in Remote Code Execution (RCE) on the affected device.
## Exploitation
- Status: **Exploited in the wild** (Confirmed by The Shadowserver Foundation)
- Complexity: *Not explicitly stated, but likely low given public exploits.*
- Attack Vector: Network (Remote access to the administrative interface is required).
## Impact
- Confidentiality: *High (Implied by RCE)*
- Integrity: *High (Implied by RCE)*
- Availability: *High (Implied by RCE)*
## Remediation
### Patches
- The primary recommendation is to upgrade to a secure version provided by Fortinet immediately.
- *Specific patched version numbers are not listed in the source text.*
### Workarounds
- If immediate upgrading is not feasible, administrators are recommended to **turn off the HTTP/HTTPS administrative interface** entirely.
- Restrict access to the vulnerable component: `/api/fabric/device/status`.
## Detection
- **Indicators of Compromise (IoC):** Successful exploitation involves the creation of a malicious `.pth` file in the Python 'site-packages' directory, followed by access to `/cgi-bin/ml-draw.py`.
- **Detection Methods and Tools:** Monitoring for unusual file creation in Python directories and monitoring traffic targeting the `/cgi-bin/ml-draw.py` script or administrative management interfaces.
## References
- Vendor advisories: *Fortinet advisories governing the specific RCE vulnerabilities should be consulted.*
- Relevant links:
- bleepingcomputer com/news/security/new-fortinet-fortiweb-hacks-likely-linked-to-public-rce-exploits/