Fortinet has launched fixes for a crucial safety flaw impacting FortiWeb that might allow an unauthenticated attacker to run arbitrary database instructions on inclined situations.
Tracked as CVE-2025-25257, the vulnerability carries a CVSS rating of 9.6 out of a most of 10.0.
“An improper neutralization of particular parts utilized in an SQL command (‘SQL Injection’) vulnerability [CWE-89] in FortiWeb could enable an unauthenticated attacker to execute unauthorized SQL code or instructions through crafted HTTP or HTTPs requests,” Fortinet stated in an advisory launched this week.
The shortcoming impacts the next variations –
- FortiWeb 7.6.0 by way of 7.6.3 (Improve to 7.6.4 or above)
- FortiWeb 7.4.0 by way of 7.4.7 (Improve to 7.4.8 or above)
- FortiWeb 7.2.0 by way of 7.2.10 (Improve to 7.2.11 or above)
- FortiWeb 7.0.0 by way of 7.0.10 (Improve to 7.0.11 or above)
Kentaro Kawane from GMO Cybersecurity, who was not too long ago credited with reporting a set of crucial flaws in Cisco Id Providers and ISE Passive Id Connector (CVE-2025-20286, CVE-2025-20281, and CVE-2025-20282), has been acknowledged for locating the problem.
In an evaluation printed immediately, watchTowr Labs stated the issue is rooted in a operate known as “get_fabric_user_by_token” that is related to the Material Connector part, which acts as a bridge between FortiWeb and different Fortinet merchandise.
The operate, in flip, is invoked from one other operate named “fabric_access_check,” that is known as from three totally different API endpoints: “/api/material/system/standing,” “/api/v[0-9]/material/widget/[a-z]+,” and “/api/v[0-9]/material/widget.”
The problem is that attacker-controlled enter – handed through a Bearer token Authorization header in a specifically crafted HTTP request – is handed on to an SQL database question with out satisfactory sanitization to be sure that it isn’t dangerous and doesn’t embrace any malicious code.
The assault could be prolonged additional to distant code execution by embedding a SELECT … INTO OUTFILE assertion to jot down a malicious payload to a file within the underlying working system by benefiting from the truth that the question is run because the “mysql” consumer, and execute it through Python.
“The brand new model of the operate replaces the earlier format-string question with ready statements – an inexpensive try to forestall easy SQL injection,” safety researcher Sina Kheirkhah stated.
As momentary workarounds till the required patches could be utilized, customers are advisable to disable HTTP/HTTPS administrative interface.
With flaws in Fortinet gadgets having been exploited by menace actors prior to now, it is important that customers transfer rapidly to replace to the newest model to mitigate potential dangers.
