CVE‑2025‑25257 is a critical pre-authentication SQL injection vulnerability affecting Fortinet FortiWeb’s Fabric Connector component. It impacts FortiWeb versions:
- 7.6.0–7.6.3
- 7.4.0–7.4.7
- 7.2.0–7.2.10
- ≤ 7.0.10
The issue resides in the get_fabric_user_by_token() function, which constructs SQL queries using unsanitized user input (the Authorization: Bearer HTTP header). This leads to an SQL injection (CWE‑89) vulnerability
- Attackers can bypass authentication and inject arbitrary SQL commands.
- By exploiting MySQL’s SELECT … INTO OUTFILE, attackers can write malicious .pth files or webshells within the server’s file system (e.g. in Python site‑packages or CGI directories), resulting in remote code execution (RCE)
- CVSS score: 9.6–9.8 (Critical)
- The attacker gains unauthenticated access to execute OS-level commands on the affected appliance, potentially leading to full system compromise
- Public Proof-of-Concept (PoC) exploits are available and reportedly being used
- Patch Immediately Upgrade FortiWeb to: 7.6.4+, 7.4.8+, 7.2.11+, or 7.0.11+
- Temporary Mitigation Disable or restrict access to the HTTP/HTTPS administrative interface until the patch is applied
- Monitor and Detect
- Inspect logs for suspicious Authorization headers containing SQL syntax.
- Add IDS/IPS signatures to detect injection patterns in Fabric Connector API calls (especially /api/fabric/device/status).
- Check the file system (e.g., .pth files in site-packages or unusual CGI scripts like ml-draw.py) for unauthorized deployments
CVE‑2025‑25257 is a severe pre-auth SQL injection → RCE chain enabling attackers to implant arbitrary payloads in FortiWeb systems. It’s easy to exploit, widely weaponized, and has a fix available. Applying the vendor patch and enhancing monitoring controls are essential to prevent system compromise.