TIRESIS/Forecast/CVE-2025-25257
⚡ CISA KEV — Actively ExploitedCRITICAL RISK

CVE-2025-25257

An improper neutralization of special elements used in an SQL command ('SQL Injection') vulnerability [CWE-89] vulnerability in Fortinet FortiWeb 7.6.0 through 7.6.3, FortiWeb 7.4.0 through 7.4.7, FortiWeb 7.2.0 through 7.2.10, FortiWeb 7.0.0 through 7.0.10 allows an unauthentica

SMB Attack Probability Score
81/100critical
Weighted: EPSS · CISA KEV · SMB stack prevalence · exploit maturity · CVSS vector
CVSS v3
9.8
EPSS (30d)
30.99%
SMB Exposure
46/100
Attack Vector
NETWORK
Complexity
LOW
Privileges
NONE
🔓
SMB Impact
How this vulnerability affects a real small business
1
How this breaks an SMB

Firewall or VPN compromise gives attackers full internal network access — no further credentials needed. All connected systems are immediately at risk.

2
Typical real-world scenario

Automated scanner identifies the exposed appliance. Within hours, lateral movement begins: file servers, domain controller, and backup systems are reached.

3
Estimated downtime & cost
Est. downtime
3–7 days
Business cost range
€15K–€80K
4
What IT should check this week
Is this appliance directly internet-facing?
Is firmware/OS version patched to latest?
Are admin consoles accessible without MFA?
Is network segmentation between IT and OT/servers active?
Scenarios are generated based on software category and CVE characteristics. Cost ranges reflect SMB incidents in TIRESIS incident database.
Threat Evolution Timeline
From disclosure to predicted exploitation — 6 events
1 predicted
📋
17 Jul 2025
Vulnerability disclosed
CVE published by NVD with CVSS 9.8 (CRITICAL)
🚨
18 Jul 2025CISA KEV
Added to CISA KEV catalog
CISA confirms active exploitation. Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
19 Jul 2025
Exploit in the wild
Active exploitation observed — automated scanning and targeted attacks underway
🔬
24 Jul 2025
Proof-of-Concept published
Public PoC code available — exploitation now accessible to non-expert attackers
📍
TODAY
Today
EPSS: 31.0% probability of exploitation in next 30 days. SMB Risk Score: 81/100
Forecast →
🌐
30 May 2026◈ predicted · in 30 days
Predicted: mass exploitation window
Based on EPSS 31% and current exploit maturity — automated scanning campaigns expected at scale.
◈ Predicted eventsare estimates based on EPSS score, exploit maturity, and historical CVE progression patterns. They are not guaranteed outcomes.
Affected Products
fortiweb
Remediation & References
⚡ CISA Required Action

Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

Federal agency patch deadline: 2025-08-08
What to do
🚨Patch immediately — actively exploited in the wildcritical

CISA has confirmed exploitation of this vulnerability. Federal agencies must patch within the KEV deadline. SMBs should treat this as P0: patch or mitigate within 24–48 hours.

🌐No authentication required — restrict external access nowhigh

This vulnerability can be exploited remotely without credentials or user interaction. Until patched: block access to the affected service from the internet using firewall rules or ACLs. Only allow access from trusted IPs.

NVD Full Entry ↗Official vulnerability detail, CVSS vectors, CPE listCISA KEV Entry ↗CISA Known Exploited Vulnerabilities catalogEPSS Score ↗Exploit Prediction Scoring System — FIRST.orgMitre CVE ↗MITRE CVE Program official entry
Vendor & Exploit References
Scoring Methodology

SMB Attack Probability Score weights: EPSS exploit likelihood (35%), CISA KEV active exploitation (25%), SMB stack prevalence (20%), exploit maturity (10%), CVSS network vector complexity (10%). Impact scenarios are derived from software category and historical SMB incident patterns. Scores recompute daily.