Fortinet has launched fixes for a crucial safety flaw impacting FortiWeb that might allow an unauthenticated attacker to run arbitrary database instructions on vulnerable situations.
Tracked as CVE-2025-25257, the vulnerability carries a CVSS rating of 9.6 out of a most of 10.0.
“An improper neutralization of particular parts utilized in an SQL command (‘SQL Injection’) vulnerability [CWE-89] in FortiWeb could permit an unauthenticated attacker to execute unauthorized SQL code or instructions through crafted HTTP or HTTPs requests,” Fortinet mentioned in an advisory launched this week.
The shortcoming impacts the next variations –
- FortiWeb 7.6.0 by 7.6.3 (Improve to 7.6.4 or above)
- FortiWeb 7.4.0 by 7.4.7 (Improve to 7.4.8 or above)
- FortiWeb 7.2.0 by 7.2.10 (Improve to 7.2.11 or above)
- FortiWeb 7.0.0 by 7.0.10 (Improve to 7.0.11 or above)
Kentaro Kawane from GMO Cybersecurity, who was just lately credited with reporting a set of crucial flaws in Cisco Identification Providers and ISE Passive Identification Connector (CVE-2025-20286, CVE-2025-20281, and CVE-2025-20282), has been acknowledged for locating the problem.
In an evaluation printed immediately, watchTowr Labs mentioned the issue is rooted in a operate referred to as “get_fabric_user_by_token” that is related to the Cloth Connector element, which acts as a bridge between FortiWeb and different Fortinet merchandise.
The operate, in flip, is invoked from one other operate named “fabric_access_check,” that is referred to as from three completely different API endpoints: “/api/material/gadget/standing,” “/api/v[0-9]/material/widget/[a-z]+,” and “/api/v[0-9]/material/widget.”
The problem is that attacker-controlled enter – handed through a Bearer token Authorization header in a specifically crafted HTTP request – is handed on to an SQL database question with out enough sanitization to make it possible for it isn’t dangerous and doesn’t embrace any malicious code.
The assault will be prolonged additional to distant code execution by embedding a SELECT … INTO OUTFILE assertion to jot down a malicious payload to a file within the underlying working system by profiting from the truth that the question is run because the “mysql” person, and execute it through Python.
“The brand new model of the operate replaces the earlier format-string question with ready statements – an affordable try to forestall simple SQL injection,” safety researcher Sina Kheirkhah mentioned.
As non permanent workarounds till the mandatory patches will be utilized, customers are really helpful to disable HTTP/HTTPS administrative interface.
With flaws in Fortinet units having been exploited by menace actors up to now, it is important that customers transfer shortly to replace to the most recent model to mitigate potential dangers.
