Fortinet Fixes Critical SQL Injection Flaw in FortiWeb (CVE-2025-25257, CVSS 9.6)
Do Son 
Fortinet has released a critical patch to address a serious vulnerability in its FortiWeb product β a web application firewall widely deployed across enterprise environments. Tracked as CVE-2025-25257, the flaw is a high-severity unauthenticated SQL injection vulnerability that could allow a remote attacker to execute unauthorized SQL commands by simply sending a crafted HTTP or HTTPS request.
βAn improper neutralization of special elements used in an SQL command (βSQL Injectionβ) vulnerability [CWE-89] in FortiWeb may allow an unauthenticated attacker to execute unauthorized SQL code or commands via crafted HTTP or HTTPs requests,β Fortinet stated in its advisory.
With a CVSS score of 9.6, the issue is considered critical, especially given that it requires no authentication to exploit β making it a lucrative target for threat actors seeking easy entry into protected environments.
The vulnerability impacts several versions of FortiWeb across multiple major release lines:
| Version | Affected | Solution |
|---|---|---|
| FortiWeb 7.6 | 7.6.0 through 7.6.3 | Upgrade to 7.6.4 or above |
| FortiWeb 7.4 | 7.4.0 through 7.4.7 | Upgrade to 7.4.8 or above |
| FortiWeb 7.2 | 7.2.0 through 7.2.10 | Upgrade to 7.2.11 or above |
| FortiWeb 7.0 | 7.0.0 through 7.0.10 | Upgrade to 7.0.11 or above |
If left unpatched, the vulnerability opens the door for attackers to potentially access sensitive data, alter database contents, or compromise backend systems.
For organizations unable to upgrade immediately, Fortinet suggests disabling the HTTP/HTTPS administrative interface as a temporary workaround:
βDisable HTTP/HTTPS administrative interface,β the advisory recommends, as this interface is the primary attack vector.
However, disabling the GUI interface may limit manageability and is not considered a permanent solution. Organizations are strongly urged to apply the vendor-supplied patches.
Related Posts:
- Fortinet Faces Potential Data Breach, Customer Data at Risk
- Cybersecurity Alert: CISA Adds Fortinet and GitHub Action Vulnerabilities to Exploited List
- Fortinet patches critical CVE-2022-39952 & CVE-2021-42756 bugs in its products
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
