With two proof-of-concept (PoC) exploits made public late last week, CVE-2025-25257 – a critical SQL command injection vulnerability in Fortinet’s FortiWeb web application firewall – is expected to be leveraged by attackers soon.

About CVE-2025-25257

CVE-2025-25257 is found in FortiWeb’s Fabric Connector, the software that allows FortiWeb to communicate with other Fortinet security products (e.g., FortiGate firewalls, FortiSandbox, etc.).

The flaw stems from the solution’s failure to properly neutralize special elements and, if triggered, it may allow unauthented attackers to achieve remote code execution with root privileges, by executing unauthorized SQL code/commands via crafted HTTP or HTTPs requests.

Fortinet has patched CVE-2025-25257 last week, crediting prolific bug hunter Kentaro Kawane from GMO Cybersecurity with reporting it.

CVE-2025-25257 exploitation made easy

On Friday, watchTowr researchers published their own deep-dive into FortiWeb in search of the flaw, and released a script that attempts to detect if FortiWeb is vulnerable to CVE-2025-25257.

“An unauthenticated attacker can trigger SQLi via an HTTP request to the /api/fabric/device/status endpoint (and possibly several other endpoints, according to [watchTowr’s] analysis). The Authorization header will contain a Bearer value that forms part of an unsanitized SQL statement, leading to the SQLi,” Rapid7 security engineer Stephen Fewer succinctly explained the exploitation process outlined by watchTowr’s researchers.

“An attacker can leverage the SQLi to achieve RCE by creating several SQL statements to write a Python .pth file to a common Python site packages directory, and then indirectly triggering the execution of a known Python script via an HTTP request, which in turn will execute the attackers malicious pth file with root privileges.”

Another security researcher said they’ve unearthed CVE-2025-25257 in February 2025 but did not report it to Fortinet at the time. They’ve also published a working exploit for CVE-2025-25257 on Friday.

At the moment, there is no indication that the vulnerability is being actively exploited by attackers, but the situation might change quickly.

FortiWeb users would do well to mitigate the risk as soon as possible, either by upgrading their FortiWeb installation(s) to version 7.6.4 or above, 7.4.8 or above, 7.2.11 or above, or 7.0.11 or above; or by disabling the solution’s HTTP/HTTPS administrative interface.

Subscribe to our breaking news e-mail alert to never miss out on the latest breaches, vulnerabilities and cybersecurity threats. Subscribe here!

Share.

Comments are closed.