CVE-2025-25257 (CVSS 9.6): Pre-Auth SQLi in Fortinet FortiWeb Opens Door to RCE, PoC Published

A critical security flaw in Fortinet’s FortiWeb web application firewall has been publicly weaponized, with proof-of-concept (PoC) exploits demonstrating pre-authenticated remote code execution (RCE) through an SQL injection vulnerability tracked as CVE-2025-25257 (CVSS 9.6).

“An improper neutralization of special elements used in an SQL command (‘SQL Injection’) vulnerability [CWE-89] in FortiWeb may allow an unauthenticated attacker to execute unauthorized SQL code or commands via crafted HTTP or HTTPS requests,” Fortinet warned.

FortiWeb, a web application firewall (WAF) designed to defend against malicious HTTP traffic and web-based threats, is widely used across enterprise environments. The flaw affects multiple versions:

• FortiWeb 7.6.0 to 7.6.3 (patch: 7.6.4)
• FortiWeb 7.4.0 to 7.4.7 (patch: 7.4.8)
• FortiWeb 7.2.0 to 7.2.10 (patch: 7.2.11)
• FortiWeb 7.0.0 to 7.0.10 (patch: 7.0.11)

The vulnerability, discovered by Kentaro Kawane of GMO Cybersecurity, carries a critical CVSS score of 9.6.

The core of the issue lies in the get_fabric_user_by_token function in the Fabric Connector component, which serves as a link between FortiWeb and other Fortinet products.

The function is called indirectly via the fabric_access_check routine across three API endpoints:

• /api/fabric/device/status
• /api/v[0-9]/fabric/widget/[a-z]+
• /api/v[0-9]/fabric/widget

The attack vector? A malicious Bearer token supplied via the Authorization header. Instead of validating this input, the function directly feeds it into a SQL query, enabling injection.

Security firm watchTowr Labs and independent researcher faulty*ptrrr have demonstrated how this vulnerability can be leveraged to achieve RCE.

The attack can be extended further to remote code execution by embedding a SELECT … INTO OUTFILE statement to write a malicious payload to a file in the underlying operating system by taking advantage of the fact that the query is run as the mysql user, explained watchTowr in their technical blog.

Once the payload is dropped, it can be executed via a separate process like Python, effectively granting attackers full control of the system.

PoC exploits posted to GitHub [1,2] can open a reverse shell or deploy a web shell, turning vulnerable FortiWeb instances into entry points for deeper network compromise.

Fortinet has released patched versions for all affected branches and urges customers to upgrade immediately.

Mitigation tips until patching is complete:

• Disable HTTP/HTTPS administrative interfaces.
• Enforce strict network-level access controls.
• Monitor logs for suspicious Authorization headers.

Related Posts:

• Fortinet patches critical CVE-2022-39952 & CVE-2021-42756 bugs in its products
• Fortinet Faces Potential Data Breach, Customer Data at Risk
• Cybersecurity Alert: CISA Adds Fortinet and GitHub Action Vulnerabilities to Exploited List
• Microsoft says our most popular server product runs on Linux

Support Our Threat Intelligence

If you find our CVE report and cybersecurity news helpful, consider supporting our work.

Buy Me a Coffee PayPal

Crypto

USDT (TRC20):

TN8BdV8cp4T1Cd28gK9qTAnZknzzuwyUtm Copy

USDT (ERC20):

0x3725e1a7d3bc5765499fa6aaafe307fabcd75bce Copy