Fortinet has released a critical security update to address a severe SQL injection vulnerability affecting its FortiWeb application firewall. The vulnerability, identified as CVE-2025-25257, has been assigned a CVSS score of 9.6, underscoring its high potential impact and the urgency for remediation.
Vulnerability Summary
- CVE ID: CVE-2025-25257
- Severity: Critical (CVSS 9.6)
- Type: SQL Injection (CWE-89)
- Authentication Required: No
- Attack Vector: HTTP/HTTPS
According to Fortinet’s official advisory, the vulnerability is caused by improper neutralization of special elements used in SQL queries. An unauthenticated attacker could exploit this flaw by sending specially crafted HTTP or HTTPS requests, allowing them to execute arbitrary SQL commands on the database backend of vulnerable FortiWeb systems.
Affected Versions and Required Updates
The following FortiWeb versions are impacted and require immediate updates:
| Affected Versions | Required Upgrade |
|---|---|
| 7.6.0 to 7.6.3 | Upgrade to 7.6.4 or later |
| 7.4.0 to 7.4.7 | Upgrade to 7.4.8 or later |
| 7.2.0 to 7.2.10 | Upgrade to 7.2.11 or later |
| 7.0.0 to 7.0.10 | Upgrade to 7.0.11 or later |
Technical Details
The vulnerability originates in a function called get_fabric_user_by_token, part of the Fabric Connector component. This component facilitates integration between FortiWeb and other Fortinet products. The vulnerable function is ultimately triggered through three API endpoints:
-
/api/fabric/device/status -
/api/v[0-9]/fabric/widget/[a-z]+ -
/api/v[0-9]/fabric/widget
Attackers can exploit this vulnerability by sending a malicious Authorization Bearer token in an HTTP request. The token is passed directly into a database query without proper sanitization, enabling the execution of arbitrary SQL code.
Potential for Remote Code Execution
Security researchers at watchTowr Labs have demonstrated that the vulnerability can be escalated to remote code execution. By injecting a SELECT ... INTO OUTFILE SQL statement, an attacker could write a malicious payload to the underlying operating system and execute it using Python. This is made possible because the SQL query executes with the privileges of the “mysql” user.
Researcher Sina Kheirkhah noted that the patch replaces insecure string-based queries with parameterized prepared statements, which is a standard method to prevent SQL injection.
Discovery and Disclosure
The vulnerability was responsibly disclosed by Kentaro Kawane of GMO Cybersecurity, who has previously reported critical vulnerabilities in Cisco’s Identity Services Engine.
Mitigation and Recommendations
Fortinet has released updated versions of FortiWeb that address this vulnerability. All users are strongly encouraged to upgrade immediately to the relevant fixed version. Systems exposed to the internet are particularly at risk and should be prioritized.
As a temporary mitigation measure, Fortinet recommends disabling the HTTP/HTTPS administrative interface until the patch is applied.
Conclusion
FortiWeb plays a critical role in securing enterprise environments. Exploitation of vulnerabilities in such devices can lead to full compromise of connected systems. Given Fortinet’s history of being targeted by advanced persistent threats and ransomware groups, rapid patching is essential.
Organizations are advised to assess their FortiWeb deployment immediately, apply updates, and monitor for any suspicious activity that may indicate attempted exploitation.
References
- Fortinet Security Advisory: CVE-2025-25257
- watchTowr Labs Technical Analysis
- MITRE CWE-89 Definition