A critical, unauthenticated SQL injection vulnerability, identified as CVE-2025-25257, has been disclosed in multiple versions of Fortinet’s FortiWeb Web Application Firewall (WAF). The vulnerability allows for the execution of arbitrary SQL commands, which can be escalated to achieve remote code execution (RCE) with the highest possible system privileges (root) on the underlying appliance operating system.
A critical, unauthenticated SQL injection vulnerability, identified as CVE-2025-25257, has been disclosed in multiple versions of Fortinet’s FortiWeb Web Application Firewall (WAF). The vulnerability allows for the execution of arbitrary SQL commands, which can be escalated to achieve remote code execution (RCE) with the highest possible system privileges (root) on the underlying appliance operating system.
Publicly available Proof-of-Concept (PoC) exploit code that automates the entire attack chain has been released by multiple security research entities and threat actors are actively and widely exploiting CVE-2025-25257 in the wild. The most observed tactic used by attackers exploiting CVE-2025-25257 is the deployment of webshells on the compromised FortiWeb appliances.
The vulnerability is classified as CWE-89: Improper Neutralization of Special Elements used in an SQL Command and the source of the flaw lies in the Fabric Connector. This module serves as a bridge, designed to allow FortiWeb to communicate and synchronize policies with other products in the Fortinet Security Fabric ecosystem, such as FortiGate firewalls and FortiManager.
The vulnerability’s root cause is a format string flaw located in the get_fabric_user_by_token function within the FortiWeb httpsd binary.The vulnerable C code uses the snprintf function to construct a raw SQL query, but it directly concatenates user-supplied input into the query string without any sanitization or use of prepared statements:
snprintf(s, 0x400u, “select id from fabric_user.user_table where token=’%s'”, a1);
The unsanitised variable a1 is sourced directly from an attacker-controlled HTTP request. An attacker can trigger this vulnerable code path by sending a GET request to one of several API endpoints associated with the Fabric Connector, with /api/fabric/device/status being the primary documented vector. The injectable payload is passed within the Authorization header, specifically as the token portion of a Bearer token string.
The vulnerability affects a wide range of FortiWeb versions across multiple major release branches. The affected product lines and patched versions include:
Version Affected Solution FortiWeb 7.6 7.6.0 through 7.6.3 Upgrade to 7.6.4 or above FortiWeb 7.4 7.4.0 through 7.4.7 Upgrade to 7.4.8 or above FortiWeb 7.2 7.2.0 through 7.2.10 Upgrade to 7.2.11 or above FortiWeb 7.0 7.0.0 through 7.0.10 Upgrade to 7.0.11 or above
The following steps are prioritised for remediation and risk reduction:
Immediate Patching: The only definitive remediation is to upgrade all vulnerable FortiWeb appliances to the patched firmware versions released by Fortinet.
Apply Workarounds: If immediate patching is not possible, Fortinet’s recommended workaround is to disable the HTTP/HTTPS administrative interface to block the attack vector. If the interface is required for operations, access must be restricted via firewall rules and ACLs to a trusted, internal management network only. Publicly exposed management interfaces should be considered compromised.
