CVE-2025-25257
published 2025-07-17CVE-2025-25257: An improper neutralization of special elements used in an SQL command ('SQL Injection') vulnerability [CWE-89] vulnerability in Fortinet FortiWeb 7.6.0 through…
PriorityP197critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITWEXPLOITInitial access
CISA Known Exploited Vulnerabilitydue 2025-08-08
Exploited in the wild
EPSS
96.71%
99.9th percentile
An improper neutralization of special elements used in an SQL command ('SQL Injection') vulnerability [CWE-89] vulnerability in Fortinet FortiWeb 7.6.0 through 7.6.3, FortiWeb 7.4.0 through 7.4.7, FortiWeb 7.2.0 through 7.2.10, FortiWeb 7.0.0 through 7.0.10 allows an unauthenticated attacker to execute unauthorized SQL code or commands via crafted HTTP or HTTPs requests.
Affected
10 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| fortinet | fortinet | — | — |
| fortinet | fortiweb | — | — |
| fortinet | fortiweb | >= 7.0.0 < 7.0.11 | 7.0.11 |
| fortinet | fortiweb | 7.0.0 – 7.0.10 | — |
| fortinet | fortiweb | >= 7.2.0 < 7.2.11 | 7.2.11 |
| fortinet | fortiweb | 7.2.0 – 7.2.10 | — |
| fortinet | fortiweb | >= 7.4.0 < 7.4.8 | 7.4.8 |
| fortinet | fortiweb | 7.4.0 – 7.4.7 | — |
| fortinet | fortiweb | >= 7.6.0 < 7.6.4 | 7.6.4 |
| fortinet | fortiweb | 7.6.0 – 7.6.3 | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect SQLi attempts via crafted Authorization/Bearer headers in HTTP requests targeting /api/fabric/device/status on FortiWeb devices. The injection pattern uses SQL OR logic in the bearer token. ↗
- →Monitor for creation of .pth files in Python site-packages directories on FortiWeb appliances, which is the persistence/RCE mechanism used by the exploit. ↗
- →Monitor for unexpected HTTP requests to /cgi-bin/ml-draw.py following requests to /api/fabric/device/status, as this two-step pattern is the exploit chain for achieving RCE. ↗
- →The vulnerable code path is in get_fabric_user_by_token() which uses unsanitized bearer token input in a raw SQL query; look for SQL metacharacters in Authorization headers. ↗
- →Detect use of MySQL SELECT … INTO OUTFILE via SQLi to write arbitrary files on the FortiWeb filesystem, which is the escalation technique from SQLi to RCE. ↗
- →Check Point IPS signature available for this CVE: 'Fortinet FortiWeb SQL Injection CVE-2025-25257'. ↗
- →Web shell infections on FortiWeb instances are being actively tracked; 85 infections observed on July 14 and 77 on July 15, 2025 by Shadowserver. ↗
- ·The vulnerable endpoint (/api/fabric/device/status) is part of FortiWeb's Fabric Connector feature. Disabling the HTTP/HTTPS administrative interface restricts access to this endpoint as a temporary mitigation if patching is not immediately possible. ↗
- ·Affected versions span multiple FortiWeb branches: 7.6.0–7.6.3, 7.4.0–7.4.7, 7.2.0–7.2.10, and 7.0.0–7.0.10. Patched versions are 7.6.4, 7.4.8, 7.2.11, and 7.0.11. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck9.8CRITICAL
cisa9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-mj4r-rpwm-gg33: An improper neutralization of special elements used in an SQL command ('SQL Injection') vulnerability [CWE-89] in Fortinet FortiWeb version 7
ghsa_unreviewed·2025-07-17
CVE-2025-25257 [CRITICAL] CWE-89 GHSA-mj4r-rpwm-gg33: An improper neutralization of special elements used in an SQL command ('SQL Injection') vulnerability [CWE-89] in Fortinet FortiWeb version 7
An improper neutralization of special elements used in an SQL command ('SQL Injection') vulnerability [CWE-89] in Fortinet FortiWeb version 7.6.0 through 7.6.3, 7.4.0 through 7.4.7, 7.2.0 through 7.2.10 and below 7.0.10 allows an unauthenticated attacker to execute unauthorized SQL code or commands via crafted HTTP or HTTPs requests.
VulnCheck
Fortinet FortiWeb SQL Injection Vulnerability
vulncheck·2025·CVSS 9.8
CVE-2025-25257 [CRITICAL] CWE-89 Fortinet FortiWeb SQL Injection Vulnerability
Fortinet FortiWeb SQL Injection Vulnerability
Fortinet FortiWeb contains a SQL injection vulnerability that may allow an unauthenticated attacker to execute unauthorized SQL code or commands via crafted HTTP or HTTPs requests.
Affected: Fortinet FortiWeb
Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Exploitation References: https://app.crowdsec.net/cti/cve-explorer/CVE-2025-25257; https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2025-07-13&host_type=src&vulnerability=cve-2025-25257; https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2025-07-14&host_type=src&vulnerability=cve-2025-25257; https://d
VulnCheck
Fortinet FortiOS and FortiProxy Authentication Bypass Vulnerability
vulncheck·2024·CVSS 9.8
CVE-2024-55591 [CRITICAL] CWE-288 Fortinet FortiOS and FortiProxy Authentication Bypass Vulnerability
Fortinet FortiOS and FortiProxy Authentication Bypass Vulnerability
Fortinet FortiOS and FortiProxy contain an authentication bypass vulnerability that may allow an unauthenticated, remote attacker to gain super-admin privileges via crafted requests to Node.js websocket module.
Affected: Fortinet FortiOS and FortiProxy
Required Action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Known Ransomware Campaign Use: Known
Exploitation References: https://arcticwolf.com/resources/blog/console-chaos-targets-fortinet-fortigate-firewalls/; https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json; https://www.rapid7.com/blog/post/2025/01/16/etr-fortinet-firewalls-hit-with-new-zero-day-attack-older-data-leak
CISA
Fortinet FortiWeb SQL Injection Vulnerability
cisa·2025-07-18·CVSS 9.8
CVE-2025-25257 [CRITICAL] CWE-89 Fortinet FortiWeb SQL Injection Vulnerability
Vulnerability: Fortinet FortiWeb SQL Injection Vulnerability
Affected: Fortinet FortiWeb
Fortinet FortiWeb contains a SQL injection vulnerability that may allow an unauthenticated attacker to execute unauthorized SQL code or commands via crafted HTTP or HTTPs requests.
Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Notes: https://fortiguard.fortinet.com/psirt/FG-IR-25-151 ; https://nvd.nist.gov/vuln/detail/CVE-2025-25257
Remediation Due Date: 2025-08-08
Fortinet
An improper neutralization of special elements used in an SQL command ('SQL Injection') vulnerability [CWE-89] vulnerabi...
vendor_fortinet·2025-07-17·CVSS 9.8
CVE-2025-25257 [CRITICAL] CWE-89 An improper neutralization of special elements used in an SQL command ('SQL Injection') vulnerability [CWE-89] vulnerabi...
FG-IR-25-151: An improper neutralization of special elements used in an SQL command ('SQL Injection') vulnerability [CWE-89] vulnerabi...
An improper neutralization of special elements used in an SQL command ('SQL Injection') vulnerability [CWE-89] vulnerability in Fortinet FortiWeb 7.6.0 through 7.6.3, FortiWeb 7.4.0 through 7.4.7, FortiWeb 7.2.0 through 7.2.10, FortiWeb 7.0.0 through 7.0.10 allows an unauthenticated attacker to execute unauthorized SQL code or commands via crafted HTTP or HTTPs requests.
CVEs: CVE-2025-25257
CWEs: CWE-89
CVSS: 9.8 (critical)
Affected products: FortiWeb, Fortinet
Suricata
ET WEB_SPECIFIC_APPS Fortinet FortiWeb Fabric Connector Unauthenticated SQL Injection (CVE-2025-25257) M1
suricata·2025-07-14·CVSS 9.8
CVE-2025-25257 [CRITICAL] ET WEB_SPECIFIC_APPS Fortinet FortiWeb Fabric Connector Unauthenticated SQL Injection (CVE-2025-25257) M1
ET WEB_SPECIFIC_APPS Fortinet FortiWeb Fabric Connector Unauthenticated SQL Injection (CVE-2025-25257) M1
Rule: alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Fortinet FortiWeb Fabric Connector Unauthenticated SQL Injection (CVE-2025-25257) M1"; flow:established,to_server; http.uri; content:"/api/fabric/device/status"; fast_pattern; startswith; http.header; to_lowercase; content:"authorization|3a 20|bearer|20|"; pcre:"/^.*?[\x27\x22\x3b\x2d\x5c\x2a\x2f]/R"; reference:url,labs.watchtowr.com/pre-auth-sql-injection-to-rce-fortinet-fortiweb-fabric-connector-cve-2025-25257/; reference:cve,2025-25257; classtype:web-application-attack; sid:2063426; rev:1; metadata:attack_target Server, created_at 2025_07_14, cve CVE_2025_25257, deployment Perimeter, deployment Internal, confidenc
Suricata
ET WEB_SPECIFIC_APPS Fortinet FortiWeb Fabric Connector Unauthenticated SQL Injection (CVE-2025-25257) M2
suricata·2025-07-14·CVSS 9.8
CVE-2025-25257 [CRITICAL] ET WEB_SPECIFIC_APPS Fortinet FortiWeb Fabric Connector Unauthenticated SQL Injection (CVE-2025-25257) M2
ET WEB_SPECIFIC_APPS Fortinet FortiWeb Fabric Connector Unauthenticated SQL Injection (CVE-2025-25257) M2
Rule: alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Fortinet FortiWeb Fabric Connector Unauthenticated SQL Injection (CVE-2025-25257) M2"; flow:established,to_server; http.uri; content:"/api/v"; startswith; content:"/fabric/widget/"; fast_pattern; distance:1; within:15; http.header; to_lowercase; content:"authorization|3a 20|bearer|20|"; pcre:"/^.*?[\x27\x22\x3b\x2d\x5c\x2a\x2f]/R"; reference:url,labs.watchtowr.com/pre-auth-sql-injection-to-rce-fortinet-fortiweb-fabric-connector-cve-2025-25257/; reference:cve,2025-25257; classtype:web-application-attack; sid:2063427; rev:1; metadata:affected_product FortiWeb, attack_target Server, created_at 2025_07_14, cve CVE_2025_2
Exploit-DB
FortiWeb Fabric Connector 7.6.x - SQL Injection to Remote Code Execution
exploitdb·2026-02-04·CVSS 9.8
CVE-2025-25257 [CRITICAL] FortiWeb Fabric Connector 7.6.x - SQL Injection to Remote Code Execution
FortiWeb Fabric Connector 7.6.x - SQL Injection to Remote Code Execution
---
# Exploit Title: FortiWeb Fabric Connector 7.6.x - Pre-authentication SQL
Injection to Remote Code Execution
# Date: 2025-10-05
# Exploit Author: Milad Karimi (Ex3ptionaL)
# Contact: [email protected]
# Zone-H: www.zone-h.org/archive/notifier=Ex3ptionaL
# Tested on: Win, Ubuntu
# CVE : CVE-2025-25257
Overview
CVE-2025-25257 is a pre-authentication SQL Injection vulnerability in
Fortinet FortiWeb Fabric Connector versions 7.0 through 7.6.x.
This flaw allows attackers to inject malicious SQL commands into the
vulnerable API endpoint, potentially leading to Remote Code Execution (RCE).
PoC
curl -k -H "Authorization: Bearer aaa' OR '1'='1" \
https:///api/fabric/device/status
PoC Python
import requests
d
Nuclei
Fortinet FortiWeb - SQL Injection
nuclei·CVSS 9.8
CVE-2025-25257 [CRITICAL] Fortinet FortiWeb - SQL Injection
Fortinet FortiWeb - SQL Injection
An improper neutralization of special elements used in an SQL command ('SQL Injection') vulnerability [CWE-89] in FortiWeb may allow an unauthenticated attacker to execute unauthorized SQL code or commands via crafted HTTP or HTTPS requests.
Template:
id: CVE-2025-25257
info:
name: Fortinet FortiWeb - SQL Injection
author: watchtowr,johnk3r
severity: critical
description: |
An improper neutralization of special elements used in an SQL command ('SQL Injection') vulnerability [CWE-89] in FortiWeb may allow an unauthenticated attacker to execute unauthorized SQL code or commands via crafted HTTP or HTTPS requests.
impact: |
An attacker can exploit this vulnerability to execute unauthorized SQL commands, potentially leading to data exposure, data manipulat
Tenable
7 Questions EDR Providers Hope You Won’t Ask About Their “Exposure Management” Solution
blogs_tenable·2025-11-05
7 Questions EDR Providers Hope You Won’t Ask About Their “Exposure Management” Solution
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Talos
This is your sign to step away from the keyboard
blogs_talos·2025-07-17
This is your sign to step away from the keyboard
## This is your sign to step away from the keyboard
Welcome to this week’s edition of the Threat Source newsletter.
Burnout is a real issue for people in cybersecurity. We protect the systems that allow modern life to function. Our hours are long, our sense of responsibility real and occasionally heavy. Everyone notices when we have a bad day and an attack evades our protections, but nobody notices our best days when complex threats are detected and neutralized. Our failures are very visible, while our successes are imperceptible to others. This, coupled with a professional propensity to always consider negative outcomes, is a recipe for poor mental health – not to mention that we most of our waking hours sitting in front of screens, engaging with machines.
Making a difference and stopp
Talos
This is your sign to step away from the keyboard
blogs_talos·2025-07-17
This is your sign to step away from the keyboard
Welcome to this week’s edition of the Threat Source newsletter.
Burnout is a real issue for people in cybersecurity. We protect the systems that allow modern life to function. Our hours are long, our sense of responsibility real and occasionally heavy. Everyone notices when we have a bad day and an attack evades our protections, but nobody notices our best days when complex threats are detected and neutralized. Our failures are very visible, while our successes are imperceptible to others. This, coupled with a professional propensity to always consider negative outcomes, is a recipe for poor mental health – not to mention that we most of our waking hours sitting in front of screens, engaging with machines.
Making a difference and stopping the bad guys means being in cybersecurity for the
Bleepingcomputer
New Fortinet FortiWeb hacks likely linked to public RCE exploits
blogs_bleepingcomputer·2025-07-16·CVSS 9.8
CVE-2025-25257 [CRITICAL] New Fortinet FortiWeb hacks likely linked to public RCE exploits
## New Fortinet FortiWeb hacks likely linked to public RCE exploits
## Bill Toulas
Multiple Fortinet FortiWeb instances recently infected with web shells are believed to have been compromised using public exploits for a recently patched remote code execution (RCE) flaw tracked as CVE-2025-25257.
News of the exploitation activity comes from threat monitoring platform The Shadowserver Foundation, which observed 85 infections on July 14 and 77 on the next day.
The researchers reported that these Fortinet FortiWeb instances are believed to be compromised through the CVE-2025-25257 flaw.
CVE-2025-25257 is a critical pre-authenticated RCE via SQL injection (SQLi) affecting FortiWeb 7.6.0 through 7.6.3, 7.4.0 through 7.4.7, 7.4.0 through 7.4.7, and 7.0.0 through 7.0.10.
Fortinet released pa
Checkpoint
14th July – Threat Intelligence Report
blogs_checkpoint·2025-07-14
CVE-2025-49719 14th July – Threat Intelligence Report
Latest Publications
CPR Podcast Channel
AI Research
Web 3.0 Security
Intelligence Reports
ThreatCloud AI
Threat Intelligence & Research
Zero Day Protection
Sandblast File Analysis
About Us
SUBSCRIBE
2026
2025
2024
2023
2022
2021
2020
2019
2018
2017
2016
## 14th July – Threat Intelligence Report
For the latest discoveries in cyber research for the week of 14th July, please download our Threat Intelligence Bulletin .
TOP ATTACKS AND BREACHES
McDonald’s has suffered a data breach that resulted in the exposure of chat transcripts, session tokens, and personal data from more than 64 million job applications submitted through its AI powered McHire chatbot platform. Data leaked included applicants’ names, email addresses, phone numbers, home addresses, availability, and
Bleepingcomputer
Exploits for pre-auth Fortinet FortiWeb RCE flaw released, patch now
blogs_bleepingcomputer·2025-07-11·CVSS 9.8
[CRITICAL] Exploits for pre-auth Fortinet FortiWeb RCE flaw released, patch now
## Exploits for pre-auth Fortinet FortiWeb RCE flaw released, patch now
## Lawrence Abrams
Proof-of-concept exploits have been released for a critical SQLi vulnerability in Fortinet FortiWeb that can be used to achieve pre-authenticated remote code execution on vulnerable servers.
FortiWeb is a web application firewall (WAF), which is used to protect web applications from malicious HTTP traffic and threats.
The FortiWeb vulnerability has a 9.8/10 severity score and is tracked as CVE-2025-25257. Fortinet fixed it last week in FortiWeb 7.6.4, 7.4.8, 7.2.11, and 7.0.11 and later versions.
"An improper neutralization of special elements used in an SQL command ('SQL Injection') vulnerability [CWE-89] in FortiWeb may allow an unauthenticated attacker to execute unauthorized SQL code or comm
Greynoiseio
NoiseLetter July 2025
blogs_greynoiseio
NoiseLetter July 2025
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
2025-07-17
Published
2025-07-18
Added to CISA KEV
Exploited in the wild