cbcvebase.
CVE-2025-25257
published 2025-07-17

CVE-2025-25257: An improper neutralization of special elements used in an SQL command ('SQL Injection') vulnerability [CWE-89] vulnerability in Fortinet FortiWeb 7.6.0 through…

PriorityP197critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITWEXPLOITInitial access
CISA Known Exploited Vulnerabilitydue 2025-08-08
Exploited in the wild
EPSS
96.71%
99.9th percentile
An improper neutralization of special elements used in an SQL command ('SQL Injection') vulnerability [CWE-89] vulnerability in Fortinet FortiWeb 7.6.0 through 7.6.3, FortiWeb 7.4.0 through 7.4.7, FortiWeb 7.2.0 through 7.2.10, FortiWeb 7.0.0 through 7.0.10 allows an unauthenticated attacker to execute unauthorized SQL code or commands via crafted HTTP or HTTPs requests.

Affected

10 ranges
VendorProductVersion rangeFixed in
fortinetfortinet
fortinetfortiweb
fortinetfortiweb>= 7.0.0 < 7.0.117.0.11
fortinetfortiweb7.0.0 – 7.0.10
fortinetfortiweb>= 7.2.0 < 7.2.117.2.11
fortinetfortiweb7.2.0 – 7.2.10
fortinetfortiweb>= 7.4.0 < 7.4.87.4.8
fortinetfortiweb7.4.0 – 7.4.7
fortinetfortiweb>= 7.6.0 < 7.6.47.6.4
fortinetfortiweb7.6.0 – 7.6.3

Detection & IOCsextracted from sources · hover to see the quote

url/api/fabric/device/status
path/cgi-bin/ml-draw.py
path/cgi-bin/ml‑draw.py
  • Detect SQLi attempts via crafted Authorization/Bearer headers in HTTP requests targeting /api/fabric/device/status on FortiWeb devices. The injection pattern uses SQL OR logic in the bearer token.
  • Monitor for creation of .pth files in Python site-packages directories on FortiWeb appliances, which is the persistence/RCE mechanism used by the exploit.
  • Monitor for unexpected HTTP requests to /cgi-bin/ml-draw.py following requests to /api/fabric/device/status, as this two-step pattern is the exploit chain for achieving RCE.
  • The vulnerable code path is in get_fabric_user_by_token() which uses unsanitized bearer token input in a raw SQL query; look for SQL metacharacters in Authorization headers.
  • Detect use of MySQL SELECT … INTO OUTFILE via SQLi to write arbitrary files on the FortiWeb filesystem, which is the escalation technique from SQLi to RCE.
  • Check Point IPS signature available for this CVE: 'Fortinet FortiWeb SQL Injection CVE-2025-25257'.
  • Web shell infections on FortiWeb instances are being actively tracked; 85 infections observed on July 14 and 77 on July 15, 2025 by Shadowserver.
  • ·The vulnerable endpoint (/api/fabric/device/status) is part of FortiWeb's Fabric Connector feature. Disabling the HTTP/HTTPS administrative interface restricts access to this endpoint as a temporary mitigation if patching is not immediately possible.
  • ·Affected versions span multiple FortiWeb branches: 7.6.0–7.6.3, 7.4.0–7.4.7, 7.2.0–7.2.10, and 7.0.0–7.0.10. Patched versions are 7.6.4, 7.4.8, 7.2.11, and 7.0.11.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck9.8CRITICAL
cisa9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.