Fortinet has issued urgent security advisories and patches for a critical SQL injection vulnerability, CVE-2025-25257, affecting its FortiWeb web application firewall. This flaw allows unauthenticated attackers to execute arbitrary code on vulnerable systems, posing a significant risk to network security.

Key Takeaways

• A critical SQL injection vulnerability (CVE-2025-25257) has been discovered in Fortinet FortiWeb.

• The flaw allows unauthenticated attackers to achieve remote code execution (RCE).

• Proof-of-concept exploits are publicly available, increasing the urgency for patching.

• Fortinet has released patches for affected versions, and immediate application is strongly recommended.

The Vulnerability Explained

The vulnerability, identified as CVE-2025-25257, is an "improper neutralization of special elements used in an SQL command" (SQL Injection) flaw. It resides within the FortiWeb Fabric Connector component, which bridges FortiWeb with other Fortinet products. Attackers can exploit this by sending specially crafted HTTP or HTTPS requests. These requests manipulate the function, which fails to adequately sanitize input passed via the header. This allows attackers to inject malicious SQL commands.

Escalation to Remote Code Execution

Researchers have demonstrated that this SQL injection can be escalated to achieve full remote code execution (RCE). By leveraging MySQL's statement, attackers can write malicious files to the server's file system. Critically, the database process often runs with root privileges, allowing files to be placed in sensitive locations. While direct execution might be challenging, attackers can exploit existing scripts, such as Python scripts in the folder, to execute their injected code. This can lead to a complete compromise of the FortiWeb device.

Affected Versions and Patching

Fortinet has identified the following FortiWeb versions as vulnerable:

• 7.6.0 through 7.6.3 (Upgrade to 7.6.4 or later)

• 7.4.0 through 7.4.7 (Upgrade to 7.4.8 or later)

• 7.2.0 through 7.2.10 (Upgrade to 7.2.11 or later)

• 7.0.0 through 7.0.10 (Upgrade to 7.0.11 or later)

Fortinet strongly advises all users to apply the available patches immediately. As a temporary workaround, organizations that cannot immediately patch are recommended to disable the HTTP/HTTPS administrative interface until a patch can be applied.

Discovery and Public Exploits

The vulnerability was initially reported to Fortinet by Kentaro Kawane from GMO Cybersecurity. Security researchers at watchTowr Labs further analyzed and demonstrated the escalation to RCE, publishing their findings. The availability of proof-of-concept (PoC) exploits online significantly heightens the risk, making it imperative for organizations to update their FortiWeb instances without delay to prevent potential system compromise, data theft, and service disruptions.

Sources

• Fortinet Patches Critical SQLi Flaw Enabling Unauthenticated Code Execution, The Hacker News.

• CVE-2025-25257 PoC enables remote code execution on Fortinet FortiWeb, Security Affairs.

• Fortinet Releases Patch for Critical SQL Injection Flaw in FortiWeb (CVE-2025-25257), The Hacker News.

• Critical Vulnerability Exposes Fortinet FortiWeb to Full Takeover (CVE-2025-25257), Hackread.

• CVE-2025-25257 Vulnerability: Critical SQL Injection in Fortinet FortiWeb Enables Unauthenticated Remote CodeExecution, SOC Prime.