Critical SQL injection vulnerability in Fortinet FortiWeb enables unauthenticated remote code execution
Take action: If you have Fortinet FortiWeb systems running versions 7.0 through 7.6.3, make sure it's web admin interface is isolated from the internet and accessible from trusted networks. Then plan a quick patch. This patch just became urgent since PoC is now public! If you can't patch for extended period (more than a few weeks), consider disabling the web admin interface since that blocks the attacks, but also blocks your normal admin work. Seems easier to patch.
Learn More
Fortinet has patched a critical flaw in its FortiWeb web application firewall that could allow unauthenticated attackers to execute unauthorized SQL commands and achieve remote code execution.
The vulnerability is tracked as CVE-2025-25257 (CVSS score 9.6) - improper neutralization of special elements used in SQL commands within FortiWeb's Graphical User Interface (GUI) component.
Affected versions:
- FortiWeb 7.6: versions 7.6.0 through 7.6.3
- FortiWeb 7.4: versions 7.4.0 through 7.4.7
FortiWeb 7.2: versions 7.2.0 through 7.2.10 - FortiWeb 7.0: versions 7.0.0 through 7.0.10
Patched versions
- FortiWeb 7.6: versions 7.6.4 or above
- FortiWeb 7.4: versions 7.4.8 or above
FortiWeb 7.2: versions 7.2.11 or above - FortiWeb 7.0: versions 7.0.11 or above
For organizations unable to immediately upgrade to the fixed versions, a temporary mitigation is disabling the HTTP/HTTPS administrative interface, This mitigation may limit administrative capabilities and is not considered a permanent solution.
Update - as of the 11th of July 2025, WatchTowr and an independent security researcher known as "faulty *ptrrr" released technical write-ups and proof-of-concept exploits.
