Fortinet has released fixes for a critical security flaw impacting FortiWeb that could enable an unauthenticated attacker to run arbitrary database commands on susceptible instances.
Tracked as CVE-2025-25257, the vulnerability carries a CVSS score of 9.6 out of a maximum of 10.0.
“An improper neutralization of special elements used in an SQL command (‘SQL Injection’) vulnerability [CWE-89] in FortiWeb may allow an unauthenticated attacker to execute unauthorized SQL code or commands via crafted HTTP or HTTPs requests,” Fortinet said in an advisory released this week.
The shortcoming impacts the following versions –
- FortiWeb 7.6.0 through 7.6.3 (Upgrade to 7.6.4 or above)
- FortiWeb 7.4.0 through 7.4.7 (Upgrade to 7.4.8 or above)
- FortiWeb 7.2.0 through 7.2.10 (Upgrade to 7.2.11 or above)
- FortiWeb 7.0.0 through 7.0.10 (Upgrade to 7.0.11 or above)
Kentaro Kawane from GMO Cybersecurity, who was recently credited with reporting a set of critical flaws in Cisco Identity Services and ISE Passive Identity Connector (CVE-2025-20286, CVE-2025-20281, and CVE-2025-20282), has acknowledged for discovering the issue.
In an analysis published today, watchTowr Labs said the problem is rooted in a function called “get_fabric_user_by_token” that’s associated with the Fabric Connector component, which acts as a bridge between FortiWeb and other Fortinet products.
The function, in turn, is invoked from another function named “fabric_access_check,” that’s called from three different API endpoints: “/api/fabric/device/status,” “/api/v[0-9]/fabric/widget/[a-z]+,” and “/api/v[0-9]/fabric/widget.”
The issue is that attacker-controlled input – passed via a Bearer token Authorization header in a specially crafted HTTP request – is passed directly to an SQL database query without adequate sanitization to make sure that it’s not harmful and does not include any malicious code.
The attack can be extended further by embedding a SELECT … INTO OUTFILE statement to write the results of command execution to a file in the underlying operating system by taking advantage of the fact that the query is run as the “mysql” user.
“The new version of the function replaces the previous format-string query with prepared statements – a reasonable attempt to prevent straightforward SQL injection,” security researcher Sina Kheirkhah said.
As temporary workarounds until the necessary patches can be applied, users are recommended to disable HTTP/HTTPS administrative interface.
With flaws in Fortinet devices having been exploited by threat actors in the past, it’s essential that users move quickly to update to the latest version to mitigate potential risks.
