Ethical Hacking News
A critical vulnerability has been discovered in Fortinet's FortiWeb security system, leaving users exposed to remote code execution. This vulnerability, identified as CVE-2025-25257, was recently disclosed by Pierluigi Paganini, a renowned cybersecurity expert, and has since been made public through the release of proof-of-concept (PoC) exploits. Adminstrators are strongly advised to patch their FortiWeb systems immediately due to the availability of public exploits.
A critical vulnerability (CVE-2025-25257) has been discovered in Fortinet's FortiWeb security system, allowing remote code execution.The vulnerability is a result of an improper neutralization of special elements used in SQL commands, enabling unauthenticated attackers to execute unauthorized SQL code via crafted HTTP or HTTPS requests.A public exploit was released by Pierluigi Paganini and Kentaro Kawane from GMO Cybersecurity, which has been classified as having a critical severity level (CVSS 9.8).Fortinet has released security patches in versions 7.6.4, 7.4.8, 7.2.11, and 7.0.11 to address the vulnerability.Administrators are advised to patch their FortiWeb systems immediately due to the availability of public exploits, as there is no evidence of active exploitation yet but it is expected to change soon.
A critical vulnerability has been discovered in Fortinet's FortiWeb security system, leaving users exposed to remote code execution. This vulnerability, identified as CVE-2025-25257, was recently disclosed by Pierluigi Paganini, a renowned cybersecurity expert, and has since been made public through the release of proof-of-concept (PoC) exploits.
According to Fortinet's official advisory, the vulnerability is a result of an improper neutralization of special elements used in SQL commands, which allows unauthenticated attackers to execute unauthorized SQL code via crafted HTTP or HTTPS requests. This vulnerability has been classified as having a critical severity level (CVSS 9.8) and poses a significant threat to users who are running vulnerable versions of FortiWeb.
Kentaro Kawane from GMO Cybersecurity was the first researcher to report this vulnerability under responsible disclosure, after conducting an in-depth analysis of Fortinet's HTTPSd service between versions 7.6.3 and 7.6.4 using binary diffing. His findings revealed a specific change introduced in the new version that addressed the issue, ultimately leading to the discovery of the security patch.
However, once the vulnerability was discovered, researchers explored various methods to escalate it to remote code execution. They found an existing Python script (ml-draw.py) in the CGI directory, executed by Apache via /bin/python, and leveraged this to use a lesser-known Python feature: .pth files. When placed in Python's site-packages directory, these .pth files can execute arbitrary code if they include a line like import os.
WatchTowr researchers created a Detection Artifact Generator for FortiWeb CVE-2025-25257, which is available here, to help administrators identify and mitigate this vulnerability. Meanwhile, the researchers also explored ways to bypass file size limits and path constraints in INTO OUTFILE, ultimately leading to successful code execution through crafting and placing a .pth file that ran their desired Python code when the CGI script was triggered.
Fortinet has since released security patches in versions 7.6.4, 7.4.8, 7.2.11, and 7.0.11 to address this vulnerability. Kentaro Kawane from GMO Cybersecurity reported this vulnerability under responsible disclosure. The flaw is a SQL injection vulnerability (CWE-89) that allows unauthenticated attackers to execute unauthorized SQL commands via crafted HTTP or HTTPS requests.
In light of this critical vulnerability, administrators are strongly advised to patch their FortiWeb systems immediately due to the availability of public exploits. While there's no evidence of active exploitation yet, it is expected to change soon. This highlights the importance of regular security updates and patches in preventing such vulnerabilities from being exploited by malicious actors.
The discovery of this vulnerability serves as a reminder to always stay vigilant and proactive when it comes to cybersecurity. As more details about this vulnerability emerge, we will continue to monitor the situation and provide updates on any relevant developments.
Related Information:
https://www.ethicalhackingnews.com/articles/Patch-Immediately-Fortinet-FortiWeb-Vulnerability-Leaves-Users-Exposed-to-Remote-Code-Execution-ehn.shtml
https://securityaffairs.com/179874/security/patch-immediately-cve-2025-25257-poc-enables-remote-code-execution-on-fortinet-fortiweb.html
https://nvd.nist.gov/vuln/detail/CVE-2025-25257
https://www.cvedetails.com/cve/CVE-2025-25257/
Published: Sun Jul 13 23:20:10 2025 by llama3.2 3B Q4_K_M
