Fortinet has announced security patches addressing a critical vulnerability in FortiWeb, which could allow unauthenticated attackers to execute arbitrary database commands on affected systems. This vulnerability, labeled CVE-2025-25257, has been assigned a CVSS score of 9.6, indicating its severity.
The issue arises from an SQL injection flaw that allows attackers to run unauthorized SQL code through specially crafted HTTP requests. This was revealed in an advisory published by Fortinet, which emphasized the potential for exploitation via a Bearer token in the authorization header.
The affected versions include:
- FortiWeb 7.6.0 to 7.6.3 (Update to 7.6.4 or later)
- FortiWeb 7.4.0 to 7.4.7 (Update to 7.4.8 or later)
- FortiWeb 7.2.0 to 7.2.10 (Update to 7.2.11 or later)
- FortiWeb 7.0.0 to 7.0.10 (Update to 7.0.11 or later)
Kentaro Kawane from GMO Cybersecurity discovered the flaw, building on previous reports of critical issues in Cisco products. The root of the problem lies in a function called "get_fabric_user_by_token" within Fortinet’s Fabric Connector, which improperly processes input that can directly influence SQL database queries without adequate security measures.
Experts, including researchers from watchTowr Labs, highlight the risks involved, showing how the vulnerability could be exploited to execute harmful commands, potentially writing results to files on the operating system under the mysql user.
To mitigate risks until patches are implemented, it is advised that users disable the HTTP/HTTPS administrative interface. With the history of vulnerabilities in Fortinet devices being exploited, updating to the latest versions is critical to securing systems against attacks.
Welcome to DediRock, your trusted partner in high-performance hosting solutions. At DediRock, we specialize in providing dedicated servers, VPS hosting, and cloud services tailored to meet the unique needs of businesses and individuals alike. Our mission is to deliver reliable, scalable, and secure hosting solutions that empower our clients to achieve their digital goals. With a commitment to exceptional customer support, cutting-edge technology, and robust infrastructure, DediRock stands out as a leader in the hosting industry. Join us and experience the difference that dedicated service and unwavering reliability can make for your online presence. Launch our website.