WatchTowr Labs reveals CVE-2025-25257, a vital FortiWeb SQL injection permitting unauthenticated distant code execution. Patch your FortiWeb 7.0, 7.2, 7.4, 7.6 gadgets instantly to stop full system compromise. Replace NOW!
Cybersecurity researchers have uncovered a significant weak point, CVE-2025-25257, in a key a part of Fortinet’s safety software program: the FortiWeb Cloth Connector, important for linking Fortinet’s net software firewall (FortiWeb) with different safety instruments, enabling dynamic protections.
The vulnerability was initially reported to Fortinet by Kentaro Kawane from GMO Cybersecurity by Ierae. The following demonstration of escalating the vulnerability to full system management was carried out and printed by watchTowr Labs, and the findings have been shared completely with Hackread.com.
What Occurred?
That is an “unauthenticated SQL injection in GUI” flaw, which suggests attackers can exploit a weak point within the system’s administrative interface with no need a username or password, tricking the FortiWeb system into working their very own dangerous instructions by sending specifically designed requests over the web.
WatchTowr Labs found this hidden drawback by evaluating FortiWeb model 7.6.4 with an older model, 7.6.3. They pinpointed the weak point within the get_fabric_user_by_token operate throughout the /bin/httpsd program. This operate, supposed for logins from different Fortinet gadgets like FortiGate firewalls, didn’t correctly test incoming data, permitting injection of dangerous instructions utilizing the Authorisation: Bearer header in requests to /api/cloth/gadget/standing.
Preliminary makes an attempt have been tough resulting from limitations like disallowing areas in instructions. Nonetheless, researchers cleverly bypassed this utilizing MySQL’s remark syntax (/**/). This made the SQL injection profitable, even permitting them to completely bypass the login test with a easy 'or'1'='1 command, which returned a “200 OK” message confirming success.
From Easy Trick to Taking Management
Researchers managed to escalate this preliminary SQL injection into Distant Code Execution (RCE). They achieved this utilizing MySQL’s INTO OUTFILE assertion to write down recordsdata on to the system’s listing. A vital discovering was that the database course of ran with root privileges, permitting it to put dangerous recordsdata nearly wherever.
Though direct execution wasn’t attainable, they leveraged an current Python script within the /cgi-bin folder that routinely executed with excessive privileges. By writing a particular Python file (.pth) to a particular Python listing, they may drive the system to run their very own Python code, demonstrating an entire system compromise.
Potential Penalties and What to Do
If exploited, an attacker may achieve full management of your FortiWeb gadget and probably different related methods. This dangers delicate information theft, service disruption, or utilizing your methods for additional assaults, resulting in important monetary, reputational, and authorized injury.
To remain protected, instantly replace your FortiWeb system to the patched model. If a direct replace isn’t possible, Fortinet suggests quickly disabling the HTTP/HTTPS administrative interface as a workaround.
Listed below are the main points of the impacted FortiWeb variations:
- 7.6.0 via 7.6.3 (improve to 7.6.4 or newer)
- 7.4.0 via 7.4.7 (improve to 7.4.8 or newer)
- 7.2.0 via 7.2.10 (improve to 7.2.11 or newer)
- 7.0.0 via 7.0.10 (improve to 7.0.11 or newer)
