CISA Adds Critical CVE-2025-25257 Vulnerability to KEV Catalog — What Organizations Must Know

The evolving landscape of cybersecurity challenges underscores that no organization, regardless of size or sector, can afford complacency. This reality was highlighted once again as the Cybersecurity and Infrastructure Security Agency (CISA) announced the addition of a new entry to its Known Exploited Vulnerabilities (KEV) Catalog: CVE-2025-25257, a serious SQL injection flaw affecting Fortinet FortiWeb web application firewall products. This development carries weight not only for federal agencies but also for any business relying on Fortinet infrastructure—and, more broadly, for any entity committed to robust, risk-based vulnerability management.

Understanding the Context: What Is the KEV Catalog?​

The KEV Catalog, maintained by CISA, is a publicly available and regularly updated repository of security vulnerabilities with confirmed evidence of active exploitation in the wild. Its emergence reflects a rising tide of high-profile breaches and ransomware campaigns that have exploited well-known, unpatched flaws. CISA’s Binding Operational Directive 22-01 (BOD 22-01), introduced in November 2021, made it a requirement for Federal Civilian Executive Branch (FCEB) agencies to remediate cataloged vulnerabilities within a prescribed timeframe. The intent: to rapidly shrink the window between exploit disclosure and mitigation, limiting opportunities for adversaries to compromise critical government infrastructure.
BOD 22-01’s impact, however, extends beyond its direct regulatory scope. By publishing the catalog and strongly urging all organizations—public and private—to adopt it as a risk management priority, CISA has essentially set a best-practice bar for the entire cybersecurity community.

What Is CVE-2025-25257? Dissecting the Fortinet FortiWeb SQL Injection Vulnerability​

The latest vulnerability added to the KEV Catalog, CVE-2025-25257, specifically targets Fortinet’s FortiWeb product. FortiWeb is a widely deployed web application firewall (WAF) solution, tasked with shielding web applications from a variety of attacks, such as cross-site scripting (XSS), SQL injection, and other OWASP Top 10 threats.
According to Fortinet’s own advisory and corroborated by independent assessments, CVE-2025-25257 allows unauthenticated remote attackers to execute arbitrary SQL commands on the underlying database by crafting malicious requests. This means that an attacker can potentially exfiltrate sensitive data, manipulate authentication records, or compromise the confidentiality and integrity of the entire application protected by the firewall.

Severity and Exploitation Evidence​

What propels this vulnerability onto the KEV list isn’t just its technical impact but also the confirmation—by threat intelligence operators and CISA itself—of in-the-wild exploitation. Fortinet has acknowledged both the existence of proof-of-concept exploits and “limited, targeted attacks” in the wild. Researchers have posted technical details and exploit code that make reproduction trivial for sufficiently motivated attackers, significantly raising the risk profile.
The CVSS (Common Vulnerability Scoring System) rating assigned to CVE-2025-25257 sits firmly in the “Critical” range, with a base score reported at 9.8 out of 10. Multiple trusted third-party security advisories have authenticated the risk and nature of the vulnerability, and CISA’s alert is consistent with these findings.

How Do Attackers Leverage SQL Injection Vulnerabilities?​

SQL injection (SQLi) vulnerabilities have been a persistent thorn in the side of web application security for decades, and for good reason. At their core, SQLi flaws arise when dynamic SQL queries incorporate unsanitized user input, enabling attackers to modify queries sent to the database. In the context of FortiWeb, the threat is amplified because firewalls like these are typically positioned as the last line of defense between the internet and sensitive enterprise applications.
A successful attack exploiting CVE-2025-25257 might have several immediate and devastating impacts:

• Data Exfiltration: Attackers can steal sensitive information, including usernames, passwords, configurations, and personally identifiable information (PII).
• Database Manipulation: Malicious SQL could alter or destroy critical application data, breaking business processes or enabling deeper lateral movement within the network.
• Privilege Escalation: Exploitation could be used to create new administrator accounts or escalate privileges, further entrenching the attacker’s position in the environment.
• Bypassing Security Controls: Because the vulnerability resides in a security appliance, attackers may be able to circumvent deployed protections, undermining trust in the solution itself.

Why CISA’s KEV Catalog Matters​

The importance of CISA’s KEV list extends beyond regulatory compliance; it offers a laser-focused, evidence-based prioritization tool for any organization overwhelmed by an endless stream of vulnerability disclosures. In a landscape where thousands of new CVEs are published every year—reaching a record high of over 30,000 in 2024 alone—it isn’t feasible (or cost-effective) to treat every one as equally urgent. The KEV Catalog cuts through the noise, signaling that each entry is (a) actively being exploited and (b) poses significant risk if left unaddressed.

Binding Operational Directive 22-01: The Regulatory Backbone​

BOD 22-01 provides the formal authority and structure behind the KEV initiative. It mandates that all FCEB agencies address cataloged vulnerabilities by a set deadline. There are periodic audits and accountability checks to ensure compliance, and non-compliance can trigger federal oversight mechanisms.
For organizations outside the federal government, BOD 22-01 is not legally binding, but the recommendation to “act with urgency” carries strong weight. CISA’s public statements repeatedly urge state, local, private sector, and critical infrastructure operators to incorporate KEV Catalog remediation into their regular patch management cycles.

Strengths and Impact of the KEV Approach​

Evidence-Based Prioritization​

One of the KEV Catalog’s most striking strengths is its reliance on observed, real-world exploitation rather than theoretical risk models. This not only aligns with the principles of threat-based defense but also addresses one of the biggest challenges in vulnerability management: prioritization.
Of the tens of thousands of vulnerabilities published annually, research shows that only a tiny fraction ever become common targets for attackers. By focusing on “what’s being exploited, not just what could be,” organizations can use their limited resources more efficiently and reduce business risk more effectively.

Industry Adoption and Influence​

Since its inception, security teams across industries have begun integrating the KEV Catalog into SIEM (Security Information and Event Management) platforms, vulnerability scanners, and patch management tools. Security vendors often push out targeted alerts whenever a new KEV entry is published, helping organizations maintain manageable, actionable queues of high-priority remediations.

Transparency and Accountability​

By making the KEV Catalog public—and specifying the rationale behind each addition—CISA has promoted both government transparency and community accountability. Security researchers and vendors can quickly cross-reference their advisories with entries in the catalog, creating a feedback loop that strengthens overall community response.

Potential Weaknesses and Risks in the KEV Paradigm​

Despite its undisputed benefits, the KEV Catalog approach is not without pitfalls.

Limited Scope: Not All Threats Are Equal​

By design, the KEV focuses only on vulnerabilities with proven, in-the-wild exploitation. This means that newly discovered weaknesses—no matter how severe—may go unaddressed until public reports of exploitation surface. Attackers who move quickly to weaponize zero-day or “n-day” vulnerabilities could exploit this lag time, especially if defenders confine their activity narrowly to KEV entries.

Complacency in Broader Patch Management​

Exclusive focus on the KEV Catalog could lead some organizations to neglect broader security hygiene. Relying solely on any curated list risks false negatives; it is essential to maintain robust, holistic vulnerability management and zero-trust strategies that consider the unique threat landscape faced by each organization.

Patch Lag and Legacy Systems​

Remediation deadlines established by BOD 22-01 may be challenging for organizations with legacy, unsupported, or poorly documented environments. Patches for security appliances such as FortiWeb frequently require careful change management and downtime planning, potentially putting critical business services at risk.

Fortinet’s Response and Mitigation Guidance​

In light of the confirmed exploitation of CVE-2025-25257, Fortinet has issued urgent guidance to affected customers:

• Immediate Patch Deployment: Fortinet has released available patches for supported FortiWeb versions. Security teams are strongly urged to apply these updates as soon as practical.
• Temporary Workarounds: Where patch application is not quickly possible—such as due to mission-critical dependencies—Fortinet recommends specific configuration changes or mitigations to reduce exposure, such as disabling vulnerable endpoints or enabling web application firewall rules that block SQL-specific patterns.
• Continued Monitoring: Administrators should monitor logs for signs of suspicious activity, such as unusual queries or failed authentication attempts, and be prepared to respond to signs of compromise.
• Network and Access Controls: Segmentation of vulnerable assets, together with least-privilege access models, can help limit damage in the event of exploitation.

Fortinet’s security bulletin for CVE-2025-25257 provides technical patch details and a list of affected versions. Customers should cross-reference this advisory with CISA’s KEV Catalog to ensure no relevant systems are overlooked.

Timely Lessons for the Broader Community​

The inclusion of CVE-2025-25257 in CISA’s KEV Catalog is a high-visibility signal with broad, actionable lessons:

1. Web Application Firewalls Are Not Invincible​

Security products, including WAFs, can themselves become vectors for attack. Layers of defense must be accompanied by regular patching, architectural review, and assumption that any single layer can—and sometimes will—fail.

2. SQL Injection Remains Prevalent​

Despite decades of defensive advancement, SQL injection continues to lead to high-impact breaches. Secure coding, regular code reviews, and application-layer security remain foundational. Automated scanners should be used to test both internet-facing and internal systems for a broad set of OWASP Top 10 vulnerabilities.

3. Threat Intelligence Must Shape Policy​

Evidence-based prioritization, using sources like the KEV Catalog, should be baked into every organization’s vulnerability management policy. However, it must be augmented with a larger understanding of sector-specific risks, internal asset criticality, and adversary tradecraft.

4. Rapid Communication and Collaboration Make a Difference​

Organizations that act quickly on public advisories—and are plugged into channels like CISA alerts and vendor bulletins—are better positioned to respond before adversaries gain a foothold.

Balancing Urgency with Operational Reality​

There can be tension between cybersecurity urgency and operational pragmatism. Applying a critical security patch, particularly to core network infrastructure devices such as FortiWeb, often involves planned downtime, change windows, and the need for thorough testing. For organizations operating 24/7 services or with constrained maintenance windows, this can present logistical and fiscal challenges.
CISA recommends organizations develop response playbooks that include:

• Risk-Based Asset Prioritization: Assess and rank the business impact of each affected asset.
• Emergency Change Procedures: Streamline approval processes for critical patches and security updates.
• Post-Remediation Validation: Verify that patches were properly applied and systems restored to a healthy state.
• Backup and Recovery Readiness: Ensure recent, tested backups exist in case of failed patching or catastrophic exploit.

Looking Ahead: Evolving Threats and the Role of Coordinated Disclosure​

The continuous addition of exploited vulnerabilities to the KEV Catalog underscores cybersecurity as an ongoing, adaptive battle. Adversaries will continue to search for new and novel weaknesses, whether in application logic, firmware, or cloud services. Vendors must strive for rapid, coordinated vulnerability disclosure and patch delivery, and end-users need agile, context-driven vulnerability management.
As machine learning and AI-infused attacks become more prevalent, it’s likely the pool of candidate KEV entries will expand, including more complex and difficult-to-detect flaws. CISA’s proactive partnership with vendors, security researchers, and the global IT community will be critical to keeping the catalog relevant and useful.

Final Takeaways: The Imperative to Act​

CVE-2025-25257’s addition to CISA’s Known Exploited Vulnerabilities Catalog offers a stark reminder: Operations-critical infrastructure must be shielded not only by best-in-class preventive controls but also by aggressive, real-time risk prioritization and mitigation programs. Whether within the federal enterprise, at state level, or in the private sector, IT and cybersecurity teams who leverage the KEV Catalog—or similar evidence-driven frameworks—demonstrate greater agility and resilience in the face of an ever-shifting threat landscape.
Vulnerability management is not a one-time event, but a living, evolving practice. The lessons from CVE-2025-25257 and the KEV Catalog’s overall trajectory mean greater security for those who heed them—and greater peril for those who do not. The call to action is clear, and the tools are at hand: prioritize, patch, and prepare. The adversary is always at work—your response must be relentless, too.

---

Source: CISA CISA Adds One Known Exploited Vulnerability to Catalog | CISA