Fortinet has launched fixes for a essential security flaw impacting FortiWeb that might allow an unauthenticated attacker to run arbitrary database instructions on prone situations.
Tracked as CVE-2025-25257, the vulnerability carries a CVSS rating of 9.6 out of a most of 10.0.
“An improper neutralization of particular components utilized in an SQL command (‘SQL Injection’) vulnerability [CWE-89] in FortiWeb could enable an unauthenticated attacker to execute unauthorized SQL code or instructions through crafted HTTP or HTTPs requests,” Fortinet stated in an advisory launched this week.
The shortcoming impacts the next variations –
- FortiWeb 7.6.0 by way of 7.6.3 (Improve to 7.6.4 or above)
- FortiWeb 7.4.0 by way of 7.4.7 (Improve to 7.4.8 or above)
- FortiWeb 7.2.0 by way of 7.2.10 (Improve to 7.2.11 or above)
- FortiWeb 7.0.0 by way of 7.0.10 (Improve to 7.0.11 or above)
Kentaro Kawane from GMO Cybersecurity, who was not too long ago credited with reporting a set of essential flaws in Cisco Identification Providers and ISE Passive Identification Connector (CVE-2025-20286, CVE-2025-20281, and CVE-2025-20282), has been acknowledged for locating the difficulty.
In an evaluation printed immediately, watchTowr Labs stated the issue is rooted in a operate known as “get_fabric_user_by_token” that is related to the Cloth Connector element, which acts as a bridge between FortiWeb and different Fortinet merchandise.
The operate, in flip, is invoked from one other operate named “fabric_access_check,” that is known as from three totally different API endpoints: “/api/material/gadget/standing,” “/api/v[0-9]/material/widget/[a-z]+,” and “/api/v[0-9]/material/widget.”
The difficulty is that attacker-controlled enter – handed through a Bearer token Authorization header in a specifically crafted HTTP request – is handed on to an SQL database question with out satisfactory sanitization to guarantee that it is not dangerous and doesn’t embrace any malicious code.
The assault might be prolonged additional by embedding a SELECT … INTO OUTFILE assertion to put in writing the outcomes of command execution to a file within the underlying working system by benefiting from the truth that the question is run because the “mysql” person.
“The brand new model of the operate replaces the earlier format-string question with ready statements – an inexpensive try to stop easy SQL injection,” security researcher Sina Kheirkhah stated.
As momentary workarounds till the required patches might be utilized, customers are beneficial to disable HTTP/HTTPS administrative interface.
With flaws in Fortinet gadgets having been exploited by menace actors prior to now, it is important that customers transfer rapidly to replace to the newest model to mitigate potential dangers.
