Proof-of-concept exploits have been released for a critical SQLi vulnerability in Fortinet FortiWeb that can be used to achieve pre-authenticated remote code execution on vulnerable servers.
FortiWeb is a web application firewall (WAF), which is used to protect web applications from malicious HTTP traffic and threats.
The FortiWeb vulnerability has a 9.8/10 severity score and is tracked as CVE-2025-25257. Fortinet fixed it last week in FortiWeb 7.6.4, 7.4.8, 7.2.11, and 7.0.11 and later versions.
"An improper neutralization of special elements used in an SQL command ('SQL Injection') vulnerability [CWE-89] in FortiWeb may allow an unauthenticated attacker to execute unauthorized SQL code or commands via crafted HTTP or HTTPs requests," reads Fortinet's advisory.
The flaw was discovered by Kentaro Kawane from GMO Cybersecurity, who also disclosed a static hardcoded password vulnerability in Cisco ISE last month.
FortiWeb pre-auth SQLi to pre-auth RCE
Today, cybersecurity firm WatchTowr and a security researcher known as "faulty *ptrrr" released technical write-ups and proof-of-concept exploits that open reverse shells or a web shell.
The flaw is found in FortiWeb's Fabric Connector, which is software that synchronizes authentication and policy data between Fortinet products.
The software contains an unauthenticated SQL injection flaw in the get_fabric_user_by_token() function, which uses the following code to issue a MySQL query:
snprintf(s, 0x400u, "select id from fabric_user.user_table where token='%s'", a1);
... continue reading