Critical FortiWeb Vulnerability (CVE-2025-25257)

🔎 Overview

A critical SQL injection vulnerability (CVE-2025-25257) has been discovered in Fortinet’s FortiWeb platform, potentially allowing remote code execution via unauthorized database commands. With a CVSS score of 9.6/10, this flaw poses a serious risk to organizations relying on FortiWeb for web application security.

🧨 What’s the Risk?

Attackers can exploit this bug by injecting malicious SQL queries via a crafted Bearer token in the HTTP Authorization header. The flaw originates from the get_fabric_user_by_token function inside Fortinet’s Fabric Connector, which fails to properly sanitize input.

If exploited, attackers could:

• Run unauthorized SQL commands
• Write malicious files to disk using SELECT ... INTO OUTFILE
• Trigger remote code execution through Python scripts

📌 Impacted Versions

Affected FortiWeb Versions	Secure Version to Upgrade To
7.6.0 – 7.6.3	7.6.4 or newer
7.4.0 – 7.4.7	7.4.8 or newer
7.2.0 – 7.2.10	7.2.11 or newer
7.0.0 – 7.0.10	7.0.11 or newer

🛡️ Recommended Mitigation

Fortinet has issued patches replacing vulnerable SQL queries with prepared statements to prevent injection attacks. Organizations are urged to:

• Immediately apply available updates
• Temporarily disable HTTP/HTTPS admin interfaces if patching is delayed

👨‍🔬 Credit Where Due

The vulnerability was responsibly disclosed by Kentaro Kawane, a researcher at GMO Cybersecurity, known for previous findings in Cisco’s ISE components (CVE-2025-20286, CVE-2025-20281, CVE-2025-20282).

📣 XEye Security’s Recommendation

If your organization relies on FortiWeb, patching is not optional—especially given Fortinet’s history of being actively targeted by threat actors. This vulnerability offers a pathway from SQL injection to remote code execution, making swift action imperative.