Fortinet has launched fixes for a crucial safety flaw impacting FortiWeb that would allow an unauthenticated attacker to run arbitrary database instructions on inclined situations.
Tracked as CVE-2025-25257, the vulnerability carries a CVSS rating of 9.6 out of a most of 10.0.
“An improper neutralization of particular parts utilized in an SQL command (‘SQL Injection’) vulnerability [CWE-89] in FortiWeb could enable an unauthenticated attacker to execute unauthorized SQL code or instructions through crafted HTTP or HTTPs requests,” Fortinet mentioned in an advisory launched this week.
The shortcoming impacts the next variations –
- FortiWeb 7.6.0 by way of 7.6.3 (Improve to 7.6.4 or above)
- FortiWeb 7.4.0 by way of 7.4.7 (Improve to 7.4.8 or above)
- FortiWeb 7.2.0 by way of 7.2.10 (Improve to 7.2.11 or above)
- FortiWeb 7.0.0 by way of 7.0.10 (Improve to 7.0.11 or above)
Kentaro Kawane from GMO Cybersecurity, who was not too long ago credited with reporting a set of crucial flaws in Cisco Id Companies and ISE Passive Id Connector (CVE-2025-20286, CVE-2025-20281, and CVE-2025-20282), has been acknowledged for locating the problem.
In an evaluation revealed at this time, watchTowr Labs mentioned the issue is rooted in a perform referred to as “get_fabric_user_by_token” that is related to the Material Connector element, which acts as a bridge between FortiWeb and different Fortinet merchandise.
The perform, in flip, is invoked from one other perform named “fabric_access_check,” that is referred to as from three completely different API endpoints: “/api/material/gadget/standing,” “/api/v[0-9]/material/widget/[a-z]+,” and “/api/v[0-9]/material/widget.”
The problem is that attacker-controlled enter – handed through a Bearer token Authorization header in a specifically crafted HTTP request – is handed on to an SQL database question with out sufficient sanitization to ensure that it is not dangerous and doesn’t embrace any malicious code.
The assault may be prolonged additional by embedding a SELECT … INTO OUTFILE assertion to put in writing the outcomes of command execution to a file within the underlying working system by profiting from the truth that the question is run because the “mysql” consumer.
“The brand new model of the perform replaces the earlier format-string question with ready statements – an affordable try to stop easy SQL injection,” safety researcher Sina Kheirkhah mentioned.
As short-term workarounds till the required patches may be utilized, customers are really useful to disable HTTP/HTTPS administrative interface.
With flaws in Fortinet gadgets having been exploited by menace actors previously, it is important that customers transfer shortly to replace to the newest model to mitigate potential dangers.
