Updated:
Status:
CVEs:
Fortra is actively researching a critical unauthenticated SQL injection vulnerability affecting FortiWeb products identified as CVE-2025-25257. This vulnerability allows remote attackers to execute arbitrary SQL commands via crafted HTTP(s) requests without authentication, potentially resulting in full system compromise.
Who is affected?
The following FortiWeb versions are affected by these vulnerabilities.
- FortiWeb 7.6.0 through 7.6.3
- FortiWeb 7.4.0 through 7.4.7
- FortiWeb 7.2.0 through 7.2.10
- FortiWeb 7.0.0 through 7.0.10
For a detailed list, please refer to the vendor’s official advisory: PSIRT | FortiGuard Labs
What can I do?
Customers are advised to update to the latest versions to mitigate this vulnerability:
- Upgrade FortiWeb 7.6 to 7.6.4 or later
- Upgrade FortiWeb 7.4 to 7.4.8 or later
- Upgrade FortiWeb 7.2 to 7.2.11 or later
- Upgrade FortiWeb 7.0 to 7.0.11 or later
How is Fortra helping me?
Fortra is actively researching this threat to build detection capabilities.
- Alert Logic: On July 17, 2025, checks for authenticated and unauthenticated scans were added and released for Fusion VM.
- IP360: On July 23, 2025, Tripwire released authenticated and unauthenticated scan coverage to identify vulnerable instances of CVE-2025-25257. If the vulnerabilities are identified, it will be flagged under IDs 746002 (authenticated) or 746003 (unauthenticated).
Updates
Fortra has kicked off the Emerging Threats process for this vulnerability. This article will be updated with new information about this vulnerability and related security coverage as it becomes available.
- 07/17/2025: Checks for authenticated and unauthenticated scans added and released to Fusion VM.
- 07/23/2025: Tripwire released authenticated and unauthenticated scan coverage to identify vulnerable instances of CVE-2025-25257.
