Fortinet recently released a patch for the CVE-2025-25257 vulnerability in its FortiWeb product. The vulnerability, scored 9.6/10 on the CVSS scale, allows unauthenticated hackers to execute malicious SQL commands remotely and may even hijack the system if not handled in time.

1752483170886.png

The vulnerability stems from a function called get_fabric_user_by_token in the Fabric Connector component – which is responsible for connecting FortiWeb to other Fortinet products.

The error belongs to the SQL Injection group (CWE – 89) – a common but extremely dangerous error that exists at the API level. When FortiWeb receives an HTTP request with a Bearer token in the header. The system will call the get construct user by token, then fabric access check.

Data from this token is not properly checked and sanitized but is still fed directly into the SQL query.

The result: hackers can write and execute arbitrary SQL commands on their own, even without even logging into the system.

Particularly dangerous: If a SQL instruction is incorporated such as SELECT… INTO OUTFILE, hackers can write a malicious file to the system (e.g., a Python script), then execute it to gain access – from SQUL Injection to Remote Code Execution (RCE).

The following FortiWeb versions are all affected:

  • 7.6.0 7.7.3 Update to 7.4
  • 7.4.0 7.3.7 Update to 7.8
  • 7.2.0 7.1.1 Updated to 7.0.11
  • 7.0.0 7.1.1 Update to 7.O.11

Fortinet replaced dangerous SQL queries with prepared statements in the patch. SQL Injection does not require authentication, which means hackers can exploit it without a system account.

  • Easily attacked endpoint APIs include:
    • / api/fabric/device/status
    • /api/v[0-9]/fabric/widget/
  • If the organization’s FortiWeb system is opening the HTTP/HTTpS administration interface to the internet, the risk of remote exploitation is very high.

Recommended solutions:

  • Update the patch immediately to the correct version of FortiWeb.
  • While waiting for updates, disable the HTTP/HTTpS administration interface if not necessary – this is the primary route of attack.
  • Check system logs and SQL queries for signs of exploitation.
  • Apply the “least privilege” principle to users and services, limiting the file permissions of the server’s user account if possible.
  • Regularly evaluating API security, due to endpoints APids are increasingly targeted by hackers.

FortiWeb is no longer “invulnerable fortress”. This incident is a wake – up call that even security devices are not immune to risk. A small programming error such as a lack of input checks can throw open the door to hackers.

Given its high severity, large scope of impact, and easy exploitation, organizations using FortiWeb need to take immediate action to patch errors, test systems, and tighten access controls.