Fortinet has issued a correction to an important safety defect affecting Fortiweb that can enable an informal attacker to run arbitrary database commands on susceptible examples.
The CVE-2025-25257 was tracked, the vulnerability scores a CVSS of 9.6 out of the maximum of 10.0.
An improper neutrality of special elements used in “SQL command (‘SQL injection’) [CWE-89] Fortinet said in an advisor issued this week, “An informal attacker in Fortiveb may be allowed to execute unauthorized SQL code or command through unauthorized SQL code or command.
The deficiency affects the following versions –
- Fortiweb 7.6.0 through 7.6.3 (7.6.4 or more upgrade)
- Fortiweb 7.4.0 through 7.4.7 (upgrade for 7.4.8 or more)
- Fortiweb 7.2.0 7.2.10 (upgrade 7.2.11 or above)
- Via Fortiweb 7.0.0 7.0.10 (upgrade 7.0.11 or more)
From GMO Cybercity, Kantaro Kavane, which was recently reported to report a set of significant flaws in Cisco Identity Services and ISE Passive Identity Connector (CVE-2025-20286, CVE-2025-20281, and CVE-2025-20282).
In an analysis published today, Watchtower Labs stated that the problem lies in a function called “get_fabric_user_by_tokeen” that is connected to the fabric connector component, which acts as a bridge between Fortiweb and other Fortinet products.
The function, in turn, is invited by another function called “Fabric_ACCS_Chek”, which is said to three separate API &Points: “/API/Fabric/Device/Status,” “/API/V[0-9]/Clothes/Widget/[a-z]+, “And”/API/V[0-9]/Clothes/Widget. ,
The issue is that an attacker-controlled input-a specially designed HTTP request passed through a bear token authority header-this is passed directly into the SQL database query without sufficient hygiene to ensure that it is not harmful and does not contain any malicious codes.
The attack can be carried forward for a selective embedded remote code execution … In an outflow statement to write a malicious payload to a file in the underlying operating system, taking advantage of this fact, the query is run as a “mysql” user, and it is executed through the python.
Security researcher Sina Kheerkhah said, “The new version of the function replaces the previous format-string query with the prepared statements.
The required patch as temporary work -round cannot be applied, users recommend disabled HTTP/HTTPS administrative interfaces.
Fortinet devices were exploited by threats in the past with flaws, it is necessary that users proceed quickly to update the latest version to reduce potential risks.
