Jul 11, 2025Ravie LakshmananUnited States
Fortinet has launched fixes for a important safety flaw impacting FortiWeb that would allow an unauthenticated attacker to run arbitrary database instructions on vulnerable situations.
Tracked as CVE-2025-25257, the vulnerability carries a CVSS rating of 9.6 out of a most of 10.0.
“An improper neutralization of particular components utilized in an SQL command (‘SQL Injection’) vulnerability [CWE-89] in FortiWeb could permit an unauthenticated attacker to execute unauthorized SQL code or instructions by way of crafted HTTP or HTTPs requests,” Fortinet mentioned in an advisory launched this week.
The shortcoming impacts the next variations –
FortiWeb 7.6.0 by 7.6.3 (Improve to 7.6.4 or above)
FortiWeb 7.4.0 by 7.4.7 (Improve to 7.4.8 or above)
FortiWeb 7.2.0 by 7.2.10 (Improve to 7.2.11 or above)
FortiWeb 7.0.0 by 7.0.10 (Improve to 7.0.11 or above)
Kentaro Kawane from GMO Cybersecurity, who was lately credited with reporting a set of important flaws in Cisco Identification Companies and ISE Passive Identification Connector (CVE-2025-20286, CVE-2025-20281, and CVE-2025-20282), has acknowledged for locating the difficulty.
In an evaluation revealed as we speak, watchTowr Labs mentioned the issue is rooted in a perform referred to as “get_fabric_user_by_token” that is related to the Cloth Connector element, which acts as a bridge between FortiWeb and different Fortinet merchandise.
The perform, in flip, is invoked from one other perform named “fabric_access_check,” that is referred to as from three totally different API endpoints: “/api/material/gadget/standing,” “/api/v[0-9]/material/widget/[a-z]+,” and “/api/v[0-9]/material/widget.”
The problem is that attacker-controlled enter – handed by way of a Bearer token Authorization header in a specifically crafted HTTP request – is handed on to an SQL database question with out ample sanitization to make it possible for it is not dangerous and doesn’t embrace any malicious code.
The assault will be prolonged additional by embedding a SELECT … INTO OUTFILE assertion to put in writing the outcomes of command execution to a file within the underlying working system by benefiting from the truth that the question is run because the “mysql” person.
“The brand new model of the perform replaces the earlier format-string question with ready statements – an inexpensive try to forestall easy SQL injection,” safety researcher Sina Kheirkhah mentioned.
As non permanent workarounds till the mandatory patches will be utilized, customers are really useful to disable HTTP/HTTPS administrative interface.
With flaws in Fortinet gadgets having been exploited by menace actors up to now, it is important that customers transfer rapidly to replace to the newest model to mitigate potential dangers.
Discovered this text attention-grabbing? Observe us on Twitter and LinkedIn to learn extra unique content material we submit.
