🔎 Overview
A critical SQL injection vulnerability (CVE-2025-25257) has been discovered in Fortinet’s FortiWeb platform, potentially allowing remote code execution via unauthorized database commands. With a CVSS score of 9.6/10, this flaw poses a serious risk to organizations relying on FortiWeb for web application security.
Do You Need Help?
XEye Security offers you the ultimate proactive and cost-effective approach and solutions to combating all types of cyber threats, ensuring compliance, and implementing robust security measures.
🧨 What’s the Risk?
Attackers can exploit this bug by injecting malicious SQL queries via a crafted Bearer token in the HTTP Authorization header. The flaw originates from the get_fabric_user_by_token
function inside Fortinet’s Fabric Connector, which fails to properly sanitize input.
If exploited, attackers could:
- Run unauthorized SQL commands
- Write malicious files to disk using
SELECT ... INTO OUTFILE
- Trigger remote code execution through Python scripts
📌 Impacted Versions
Affected FortiWeb Versions | Secure Version to Upgrade To |
---|---|
7.6.0 – 7.6.3 | 7.6.4 or newer |
7.4.0 – 7.4.7 | 7.4.8 or newer |
7.2.0 – 7.2.10 | 7.2.11 or newer |
7.0.0 – 7.0.10 | 7.0.11 or newer |
🛡️ Recommended Mitigation
Fortinet has issued patches replacing vulnerable SQL queries with prepared statements to prevent injection attacks. Organizations are urged to:
- Immediately apply available updates
- Temporarily disable HTTP/HTTPS admin interfaces if patching is delayed
Do You Need Help?
XEye Security offers you the ultimate proactive and cost-effective approach and solutions to combating all types of cyber threats, ensuring compliance, and implementing robust security measures.
👨‍🔬 Credit Where Due
The vulnerability was responsibly disclosed by Kentaro Kawane, a researcher at GMO Cybersecurity, known for previous findings in Cisco’s ISE components (CVE-2025-20286, CVE-2025-20281, CVE-2025-20282).
📣 XEye Security’s Recommendation
If your organization relies on FortiWeb, patching is not optional—especially given Fortinet’s history of being actively targeted by threat actors. This vulnerability offers a pathway from SQL injection to remote code execution, making swift action imperative.