Warning: Critical SQL Injection vulnerability in Fortinet FortiWeb (CVE-2025-25257) allows unauthenticated attackers to execute unauthorized SQL commands, Patch Immediately!

Image
Decorative image
Veröffentlicht : 11/07/2025
  • Last update: 17-07-2025
  • Affected software:
    → FortiWeb 7.6: versions 7.6.0 through 7.6.3
    → FortiWeb 7.4: versions 7.4.0 through 7.4.7
    → FortiWeb 7.2: versions 7.2.0 through 7.2.10
    → FortiWeb 7.0: versions 7.0.0 through 7.0.10
  • Type: SQL Injection
  • CVE/CVSS
    → CVE-2025-25257: CVSS 9.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

Sources

https://fortiguard.fortinet.com/psirt/FG-IR-25-151

Risks

This vulnerability is known to be actively exploited.

Successful exploitation of this vulnerability in various versions of FortiWeb can allow unauthenticated attackers to execute unauthorized SQL commands via crafted HTTP/S requests.

This vulnerability has a significant impact on confidentiality, integrity, and availability.

The risk is notable, as FortiWeb instances are typically public-facing edge systems, making them frequent targets for threat actors during intrusions.

As of 11 JUL 2025, there is no evidence of this vulnerability being actively exploited.

UPDATE 15 JUL 2025: A proof-of-concept (PoC) exploit for this vulnerability has been publicly released, which increases the chances of further exploitation.

UPDATE 17 JUL 2025: This vulnerability has been observed as being actively exploited. For more information, see: https://x.com/Shadowserver/status/1945407662805454871

Description

In affected versions, the FortiWeb administrative GUI suffers from improper input neutralization, leading to unauthenticated SQL injection. This critical flaw allows attackers to:

  • Execute unauthorized SQL commands without authentication
  • Bypass access controls and extract sensitive configuration or user data
  • Modify or delete backend database entries
  • Potentially escalate to full system compromise

Recommended Actions

Patch
The Centre for Cybersecurity Belgium strongly recommends installing updates for vulnerable devices with the highest priority after thorough testing.

Monitor/Detect
The CCB recommends organizations upscale monitoring and detection capabilities to identify any related suspicious activity and ensure a swift response in case of an intrusion.

In case of an intrusion, you can report an incident via https://ccb.belgium.be/en/cert/report-incident.

While patching appliances or software to the newest version may protect against future exploitation, it does not remediate historic compromise.

References

https://www.tenable.com/cve/CVE-2025-25257