Fortinet has released patches for a serious SQL‑injection vulnerability affecting its FortiWeb Web Application Firewall tracked as CVE‑2025‑25257, rated CVSS 9.6. Reported by GMO Cybersecurity and confirmed by watchTowr Labs and Arctic Wolf, the flaw allows unauthenticated attackers to inject arbitrary SQL via the GUI’s Fabric Connector API endpoints. This could lead to full database compromise or remote code execution depending on the backend configuration. Fortinet recommends updating affected versions (7.0.x–7.6.x) to the latest patched releases and disabling HTTP/HTTPS admin access if patching isn’t immediately possible.
Vulnerability Overview
The flaw identified as CVE‑2025‑25257 is a critical pre-authentication SQL injection vulnerability found in Fortinet’s FortiWeb product, specifically within its Fabric Connector functionality. With a CVSS score of 9.6, the issue allows remote attackers to send manipulated Bearer tokens to the /api/fabric/device/status endpoint, which is used for internal authentication and system status queries. When exploited, this vulnerability allows unauthorized access and, in advanced cases, remote code execution (RCE).
Root Cause: Unsafe Query Construction
At the heart of the issue lies the function get_fabric_user_by_token(), which takes the Authorization Bearer token and directly inserts it into a SQL statement using snprintf()—a C function that does not inherently protect against injection. Because no parameterized queries or input sanitization mechanisms are used, an attacker can inject malicious SQL code by crafting a token such as ‘ OR ‘1’=’1′ — . This allows the backend to authenticate the attacker without a valid token or credentials.
Exploitation Pathway to RCE
While initial exploitation results in unauthorized API access, attackers can escalate this further. Through SQL injection, they can execute MySQL’s SELECT INTO OUTFILE function to write arbitrary files onto the server. Researchers have demonstrated how a .pth file can be planted in Python’s site-packages directory, causing the system to execute malicious Python code when the next CGI script (e.g., ml-draw.py) runs. Since CGI scripts on FortiWeb often execute with root privileges, this leads directly to full system compromise.
Security Misconfigurations Amplify Risk
One critical factor exacerbating this vulnerability is that the MySQL process on FortiWeb runs as root, contrary to least-privilege best practices. This gives the attacker write access to sensitive directories like /usr/local/lib/python*/dist-packages, allowing manipulation of interpreter behavior. Once control is gained, the attacker can install backdoors, add rogue users, manipulate system services, or even corrupt logs to evade detection.
Left unpatched, this vulnerability can be weaponized by attackers to read, modify, or destroy critical firewall configuration. In deployments where the database interfaces with OS-level subsystems, SQL injection may even pave the way to remote command execution. As a web application firewall, FortiWeb often resides at the network perimeter any compromise could have widespread implications for organizational security posture and data protection.
https://fortiguard.fortinet.com/psirt/FG-IR-24-435
