Fortinet has launched fixes for a vital safety flaw impacting FortiWeb that might allow an unauthenticated attacker to run arbitrary database instructions on vulnerable cases.
Tracked as CVE-2025-25257, the vulnerability carries a CVSS rating of 9.6 out of a most of 10.0.
“An improper neutralization of particular components utilized in an SQL command (‘SQL Injection’) vulnerability [CWE-89] in FortiWeb might permit an unauthenticated attacker to execute unauthorized SQL code or instructions by way of crafted HTTP or HTTPs requests,” Fortinet stated in an advisory launched this week.
The shortcoming impacts the next variations –
- FortiWeb 7.6.0 by way of 7.6.3 (Improve to 7.6.4 or above)
- FortiWeb 7.4.0 by way of 7.4.7 (Improve to 7.4.8 or above)
- FortiWeb 7.2.0 by way of 7.2.10 (Improve to 7.2.11 or above)
- FortiWeb 7.0.0 by way of 7.0.10 (Improve to 7.0.11 or above)
Kentaro Kawane from GMO Cybersecurity, who was lately credited with reporting a set of vital flaws in Cisco Identification Providers and ISE Passive Identification Connector (CVE-2025-20286, CVE-2025-20281, and CVE-2025-20282), has been acknowledged for locating the difficulty.
In an evaluation revealed immediately, watchTowr Labs stated the issue is rooted in a perform referred to as “get_fabric_user_by_token” that is related to the Material Connector element, which acts as a bridge between FortiWeb and different Fortinet merchandise.
The perform, in flip, is invoked from one other perform named “fabric_access_check,” that is referred to as from three completely different API endpoints: “/api/cloth/machine/standing,” “/api/v[0-9]/cloth/widget/[a-z]+,” and “/api/v[0-9]/cloth/widget.”
The difficulty is that attacker-controlled enter – handed by way of a Bearer token Authorization header in a specifically crafted HTTP request – is handed on to an SQL database question with out sufficient sanitization to ensure that it isn’t dangerous and doesn’t embody any malicious code.
The assault could be prolonged additional by embedding a SELECT … INTO OUTFILE assertion to write down the outcomes of command execution to a file within the underlying working system by making the most of the truth that the question is run because the “mysql” consumer.
“The brand new model of the perform replaces the earlier format-string question with ready statements – an affordable try to stop simple SQL injection,” safety researcher Sina Kheirkhah stated.
As short-term workarounds till the mandatory patches could be utilized, customers are beneficial to disable HTTP/HTTPS administrative interface.
With flaws in Fortinet units having been exploited by risk actors previously, it is important that customers transfer rapidly to replace to the newest model to mitigate potential dangers.