Critical FortiWeb Vulnerability (CVE-2025-25257)

Critical FortiWeb Vulnerability (CVE-2025-25257)

🔎 Overview

A critical SQL injection vulnerability (CVE-2025-25257) has been discovered in Fortinet’s FortiWeb platform, potentially allowing remote code execution via unauthorized database commands. With a CVSS score of 9.6/10, this flaw poses a serious risk to organizations relying on FortiWeb for web application security.

Do You Need Help?

🧨 What’s the Risk?

Attackers can exploit this bug by injecting malicious SQL queries via a crafted Bearer token in the HTTP Authorization header. The flaw originates from the get_fabric_user_by_token function inside Fortinet’s Fabric Connector, which fails to properly sanitize input.

If exploited, attackers could:

  • Run unauthorized SQL commands
  • Write malicious files to disk using SELECT ... INTO OUTFILE
  • Trigger remote code execution through Python scripts

📌 Impacted Versions

Affected FortiWeb VersionsSecure Version to Upgrade To
7.6.0 – 7.6.37.6.4 or newer
7.4.0 – 7.4.77.4.8 or newer
7.2.0 – 7.2.107.2.11 or newer
7.0.0 – 7.0.107.0.11 or newer

🛡️ Recommended Mitigation

Fortinet has issued patches replacing vulnerable SQL queries with prepared statements to prevent injection attacks. Organizations are urged to:

  • Immediately apply available updates
  • Temporarily disable HTTP/HTTPS admin interfaces if patching is delayed

Do You Need Help?

👨‍🔬 Credit Where Due

The vulnerability was responsibly disclosed by Kentaro Kawane, a researcher at GMO Cybersecurity, known for previous findings in Cisco’s ISE components (CVE-2025-20286, CVE-2025-20281, CVE-2025-20282).

📣 XEye Security’s Recommendation

If your organization relies on FortiWeb, patching is not optional—especially given Fortinet’s history of being actively targeted by threat actors. This vulnerability offers a pathway from SQL injection to remote code execution, making swift action imperative.

    Subscribe to our Newsletter and stay updated.

    You may also like these