Fortinet Issues Critical Patch for CVE-2025-25257 SQL Injection

Fortinet Releases Patch for Critical SQL Injection Flaw in FortiWeb (CVE-2025-25257)

Fortinet has issued a security patch addressing a significant SQL injection vulnerability tracked as CVE-2025-25257 in its FortiWeb web application firewall. This flaw allows unauthenticated attackers to execute arbitrary SQL commands, presenting a critical risk to database security. The vulnerability has been assigned a CVSS score of 9.6, indicating its severity.

The affected versions include:

• FortiWeb 7.6.0 through 7.6.3 (Upgrade to 7.6.4 or above)
• FortiWeb 7.4.0 through 7.4.7 (Upgrade to 7.4.8 or above)
• FortiWeb 7.2.0 through 7.2.10 (Upgrade to 7.2.11 or above)
• FortiWeb 7.0.0 through 7.0.10 (Upgrade to 7.0.11 or above)

The vulnerability arises from the function "get_fabric_user_by_token," where input from the Authorization header is directly passed into an SQL query without sufficient sanitization. This flaw can be exploited to inject malicious SQL code via crafted HTTP requests.

For more details, refer to the Fortinet advisory and an analysis by watchTowr Labs.

Technical Analysis of CVE-2025-25257

The SQL injection vulnerability stems from the improper handling of user input in the FortiWeb Fabric Connector component. This component connects FortiWeb to other Fortinet products, enhancing dynamic security updates based on real-time data.

In a detailed examination of the vulnerability, researchers identified that the input passed through the Authorization header is not adequately sanitized before being utilized in SQL database queries. Notably, the affected routes include:

• /api/fabric/device/status
• /api/v[0-9]/fabric/widget/[a-z]+
• /api/v[0-9]/fabric/widget

The improper handling allows attackers to exploit the system, making it imperative for users to update their systems promptly. Temporary workarounds include disabling the HTTP/HTTPS administrative interface.

For insights into the exploit mechanism, see the watchTowr Labs analysis.

Recommendations

To mitigate risks associated with CVE-2025-25257, users are strongly encouraged to upgrade their FortiWeb instances to the latest versions. Disabling the administrative interface can serve as a temporary measure while awaiting the application of necessary patches.

For further information on Fortinet's security advisories, visit the FortiGuard PSIRT.