252/68 Monday, July 14, 2025
Fortinet has released a patch to address a critical vulnerability, tracked as CVE-2025-25257, with a CVSS severity score of 9.6/10. The flaw affects FortiWeb devices and allows unauthenticated attackers to send specially crafted SQL commands via HTTP or HTTPS requests, potentially granting unauthorized access to the database or allowing execution of unauthorized commands. The vulnerability impacts FortiWeb versions from 7.0.0 to 7.6.3, and users are strongly advised to update to versions 7.0.11, 7.2.11, 7.4.8, or 7.6.4 or later.
According to researchers at watchTowr Labs, the vulnerability stems from the get_fabric_user_by_token function, part of the Fabric Connector used to integrate FortiWeb with other Fortinet products. This function is invoked through various APIs, including /api/fabric/device/status and /api/v[0-9]/fabric/widget, which accept Authorization headers using Bearer tokens. These tokens were used directly in SQL queries without proper sanitization, making the system susceptible to SQL injection attacks.
Experts warn that the vulnerability could lead to remote code execution if an attacker manages to inject a SELECT ... INTO OUTFILE command to create and execute malicious files—especially since the database runs with mysql user privileges. Fortinet’s latest patch mitigates this risk by transitioning to the use of prepared statements for SQL queries, significantly reducing the potential for injection. System administrators are advised to temporarily restrict HTTP/HTTPS access if immediate patching is not feasible, in order to minimize exposure to potential attacks.
Source https://thehackernews.com/2025/07/fortinet-releases-patch-for-critical.html
