Critical FortiWeb SQL Injection (CVE-2025-25257) Allows Remote Code Execution, PoC Published
Fortinet has released critical security updates for FortiWeb, addressing a severe vulnerability that allowed unauthenticated attackers to execute arbitrary SQL queries remotely. The flaw, tracked as CVE-2025-25257, received a CVSS score of 9.6, placing it among the most dangerous threats currently affecting enterprise infrastructure.
The vulnerability resided in the Fabric Connector component, which facilitates integration between FortiWeb and other Fortinet products. It was specifically traced to the get_fabric_user_by_token function, invoked during access control checks on API endpoints.
Researchers at watchTowr Labs discovered that HTTP requests containing an Authorization header with a Bearer token were being passed directly to the backend database without adequate input sanitization. This opened the door for SQL injection attacks, including the execution of high-risk commands such as SELECT... INTO OUTFILE, enabling the writing of arbitrary code to disk with the potential for subsequent execution.
The threat was further exacerbated by the fact that SQL queries were executed under the mysql system user, granting elevated permissions over the file system. The researchers demonstrated that an attacker could leverage Python to trigger malicious code embedded via SQL, effectively escalating from injection to full remote code execution (RCE) within the system.
Fortinet responded promptly, replacing the vulnerable string formatting logic with secure prepared statements, thereby neutralizing the primary attack vector by eliminating the possibility of structural manipulation within SQL queries.
The vulnerability affects the following FortiWeb versions:
- 7.6.0 to 7.6.3 → Update to 7.6.4 or later
- 7.4.0 to 7.4.7 → Update to 7.4.8 or later
- 7.2.0 to 7.2.10 → Update to 7.2.11 or later
- 7.0.0 to 7.0.10 → Update to 7.0.11 or later
This flaw was responsibly disclosed by Kentaro Kawane of GMO Cybersecurity, a Japanese security researcher known for previously uncovering critical issues in Cisco products. Fortinet publicly acknowledged his contribution and expressed gratitude for his role in the remediation process.
Until patches are fully deployed, Fortinet recommends disabling the HTTP/HTTPS web management interfaces as a temporary mitigation to reduce the attack surface. Historically, Fortinet vulnerabilities have been rapidly weaponized following public disclosure, making immediate patching essential to safeguard infrastructure against active exploitation.
