Ethical Hacking News
Fortinet's FortiWeb is a web application firewall (WAF) used to protect web applications from malicious HTTP traffic and threats. However, due to a critical SQL injection vulnerability, attackers can execute unauthorized remote code execution on affected servers. Promptly installing the latest patches and ensuring server security is crucial to preventing potential attacks.
A critical vulnerability in Fortinet's FortiWeb has been discovered, allowing server security to be exploited. The vulnerability, CVE-2025-25257, is rated 9.8/10 in severity and can be exploited for pre-authenticated remote code execution. The Fabric Connector software within Fortinet's products is affected by the vulnerability, which arises from a lack of proper sanitization in the get_fabric_user_by_token() function. The vulnerability allows attackers to inject custom SQL into the Authorization header and bypass authentication checks. Patches are available for FortiWeb version 7.6.4, 7.4.8, 7.2.11, and 7.0.11 and later versions to prevent server compromise.
A critical vulnerability in Fortinet's FortiWeb has been discovered, leaving server security vulnerable to exploitation. The bug, tracked as CVE-2025-25257 and rated 9.8/10 in severity, can be exploited for pre-authenticated remote code execution on affected servers.
The vulnerability was identified by Kentaro Kawane from GMO Cybersecurity and affects the Fabric Connector software within Fortinet's products. This software synchronizes authentication and policy data between Fortinet products, making it a crucial component of their security solutions. However, due to the lack of proper sanitization in the get_fabric_user_by_token() function, an unauthenticated SQL injection flaw has been discovered.
According to the advisory released by Fortinet, the vulnerability arises from the improper neutralization of special elements used in SQL commands, resulting in a CWE-89 (SQL Injection) vulnerability. This allows an attacker to execute unauthorized SQL code or commands via crafted HTTP or HTTPS requests.
The attackers can trigger this flaw through HTTP requests to specific endpoints on the affected server by injecting custom SQL into the Authorization header. This enables them to bypass authentication checks and access sensitive data. Furthermore, they can escalate the SQL injection to remote code execution by executing MySQL's SELECT ... INTO OUTFILE query to create arbitrary files on the device.
As a result of this vulnerability, attackers can write Python .pth files into the site-packages directory, which are automatically loaded and run when Python is executed. These malicious Python scripts can then be used to launch the attack and achieve remote code execution. The researchers found that a legitimate FortiWeb CGI Python script could be used for this purpose.
In light of this critical vulnerability, it is strongly advised by cybersecurity firms and experts that administrators prioritize installing the patches released by Fortinet for FortiWeb version 7.6.4, 7.4.8, 7.2.11, and 7.0.11 and later versions to prevent servers from being compromised.
Despite the urgency of this situation, there is currently no indication that the vulnerability is being actively exploited. However, it is expected that attackers will begin exploiting this vulnerability in the near future. Therefore, it is crucial for organizations with Fortinet products to take immediate action to address this security risk and ensure their server security is up-to-date.
The discovery of this critical vulnerability serves as a stark reminder of the importance of maintaining up-to-date software and keeping an eye on emerging threats. It also highlights the need for continuous monitoring and regular patching to protect against such vulnerabilities that could leave systems vulnerable to attacks.
Related Information:
https://www.ethicalhackingnews.com/articles/Fortinet-FortiWeb-Vulnerability-Leaves-Server-Security-at-Risk-What-You-Need-to-Know-ehn.shtml
https://www.bleepingcomputer.com/news/security/exploits-for-pre-auth-fortinet-fortiweb-rce-flaw-released-patch-now/
https://nvd.nist.gov/vuln/detail/CVE-2025-25257
https://www.cvedetails.com/cve/CVE-2025-25257/
Published: Fri Jul 11 15:20:24 2025 by llama3.2 3B Q4_K_M
