Recently, proof-of-concept exploits have emerged for a critical SQL Injection (SQLi) vulnerability in Fortinet’s FortiWeb, which enables pre-authenticated remote code execution on affected servers. This serious security flaw highlights the pressing need for robust cybersecurity measures in web application firewalls.
FortiWeb serves as a web application firewall (WAF) designed to safeguard web applications against malicious HTTP traffic and various cyber threats. Rated with a critical severity score of 9.8/10, the vulnerability is identified as CVE-2025-25257. Fortinet addressed this issue in its latest updates—releases 7.6.4, 7.4.8, 7.2.11, and 7.0.11 and later versions.
According to Fortinet’s advisory, “An improper neutralization of special elements used in an SQL command (‘SQL Injection’) vulnerability [CWE-89] in FortiWeb may allow an unauthenticated attacker to execute unauthorized SQL code or commands via crafted HTTP or HTTPS requests.” This statement underscores the gravity of the vulnerability and its implications for organizations that rely on FortiWeb for security.
The vulnerability was identified by Kentaro Kawane from GMO Cybersecurity, who recently disclosed another concerning static hardcoded password vulnerability in Cisco ISE. The potential for exploit in FortiWeb has now attracted attention from cybersecurity professionals.
Exploiting FortiWeb: From Pre-auth SQLi to Remote Code Execution
Cybersecurity firm WatchTowr, alongside researcher “faulty *ptrrr,” has published technical write-ups and proof-of-concept exploits that illustrate how to gain reverse shell or web shell access via this vulnerability. The SQL injection flaw is embedded within FortiWeb’s Fabric Connector—a tool that synchronizes authentication and policy data across Fortinet products.
Specifically, the vulnerability resides in the get_fabric_user_by_token() function, which issues a MySQL query using the following unsanitized code:
snprintf(s, 0x400u, "select id from fabric_user.user_table where token='%s'", a1);
This code fails to adequately sanitize the bearer token received in HTTP request headers, opening the door for attackers to inject custom SQL commands into the header. For instance, an attacker might exploit the vulnerability through HTTP requests directed at the /api/fabric/device/status endpoint by injecting SQL into the Authorization header (e.g., Bearer AAAAAA'or'1'='1), thereby circumventing authentication checks.
Researchers successfully escalated this SQL injection to achieve remote code execution by utilizing MySQL’s SELECT … INTO OUTFILE command via the SQLi flaw, enabling the creation of arbitrary files on the server. In practical terms, they were able to place a Python .pth file in the site-packages directory, an action that triggers automatic execution when Python runs.
By leveraging a legitimate FortiWeb CGI Python script (/cgi-bin/ml-draw.py), the researchers executed the malicious code stored in the .pth file, demonstrating the vulnerability’s far-reaching implications for server security.
Given the current availability of exploits, it is crucial for administrators to prioritize patching their systems. While there is no confirmed evidence of active exploitation at this time, the situation could change rapidly, making proactive measures essential.
As organizations increasingly face sophisticated cloud attacks, it is important to recognize that many successful techniques remain surprisingly simple. Insights drawn from Wiz’s detections across numerous organizations reveal eight key tactics employed by cloud-savvy threat actors.
Adopting comprehensive cybersecurity practices and staying informed about vulnerabilities like CVE-2025-25257 are vital steps in safeguarding systems and data against potential breaches.