Critical Vulnerability Exposes Fortinet FortiWeb to Full Takeover (CVE-2025-25257)

WatchTowr Labs reveals CVE-2025-25257, a critical FortiWeb SQL injection allowing unauthenticated remote code execution. Patch your FortiWeb 7.0, 7.2, 7.4, 7.6 devices immediately to prevent full system compromise. Update NOW!

Cybersecurity researchers have uncovered a major weakness, CVE-2025-25257, in a key part of Fortinet’s security software: the FortiWeb Fabric Connector, vital for linking Fortinet’s web application firewall (FortiWeb) with other security tools, enabling dynamic protections.

The vulnerability was initially reported to Fortinet by Kentaro Kawane from GMO Cybersecurity by Ierae. The subsequent demonstration of escalating the vulnerability to full system control was performed and published by watchTowr Labs, and the findings were shared exclusively with Hackread.com.

This is an “unauthenticated SQL injection in GUI” flaw, which means attackers can exploit a weakness in the system’s administrative interface without needing a username or password, tricking the FortiWeb system into running their own harmful commands by sending specially designed requests over the internet.

WatchTowr Labs discovered this hidden problem by comparing FortiWeb version 7.6.4 with an older version, 7.6.3. They pinpointed the weakness in the get_fabric_user_by_token function within the /bin/httpsd program. This function, intended for logins from other Fortinet devices like FortiGate firewalls, failed to properly check incoming information, allowing injection of harmful commands using the Authorisation: Bearer header in requests to /api/fabric/device/status.

Initial attempts were tricky due to limitations like disallowing spaces in commands. However, researchers cleverly bypassed this using MySQL’s comment syntax (/**/). This made the SQL injection successful, even allowing them to fully bypass the login check with a simple 'or'1'='1 command, which returned a “200 OK” message confirming success.

Researchers managed to escalate this initial SQL injection into Remote Code Execution (RCE). They achieved this using MySQL’s INTO OUTFILE statement to write files directly to the system’s directory. A critical finding was that the database process ran with root privileges, allowing it to place harmful files almost anywhere.

Although direct execution wasn’t possible, they leveraged an existing Python script in the /cgi-bin folder that automatically executed with high privileges. By writing a special Python file (.pth) to a specific Python directory, they could force the system to run their own Python code, demonstrating a complete system compromise.

If exploited, an attacker could gain full control of your FortiWeb device and potentially other connected systems. This risks sensitive data theft, service disruption, or using your systems for further attacks, leading to significant financial, reputational, and legal damage.

To stay protected, immediately update your FortiWeb system to the patched version. If an immediate update isn’t feasible, Fortinet suggests temporarily disabling the HTTP/HTTPS administrative interface as a workaround.

Here are the details of the impacted FortiWeb versions: