FortiWeb Unauthenticated SQL Injection in GUI

Fortra is actively researching a critical unauthenticated SQL injection vulnerability affecting FortiWeb products identified as CVE-2025-25257. This vulnerability allows remote attackers to execute arbitrary SQL commands via crafted HTTP(s) requests without authentication, potentially resulting in full system compromise.  

Who is affected?

The following FortiWeb versions are affected by these vulnerabilities.

• FortiWeb 7.6.0 through 7.6.3
• FortiWeb 7.4.0 through 7.4.7
• FortiWeb 7.2.0 through 7.2.10
• FortiWeb 7.0.0 through 7.0.10

For a detailed list, please refer to the vendor’s official advisory: PSIRT | FortiGuard Labs

What can I do?

Customers are advised to update to the latest versions to mitigate this vulnerability:

• Upgrade FortiWeb 7.6 to 7.6.4 or later
• Upgrade FortiWeb 7.4 to 7.4.8 or later
• Upgrade FortiWeb 7.2 to 7.2.11 or later
• Upgrade FortiWeb 7.0 to 7.0.11 or later

How is Fortra helping me?

Fortra is actively researching this threat to build detection capabilities. 

• Alert Logic: On July 17, 2025, checks for authenticated and unauthenticated scans were added and released for Fusion VM.
• Tripwire IP360: On July 23, 2025, Tripwire released authenticated and unauthenticated scan coverage to identify vulnerable instances of CVE-2025-25257. If the vulnerabilities are identified, it will be flagged under IDs 746002 (authenticated) or 746003 (unauthenticated).
• Fortra VM: On August 15, 2025, added mappings for remote scan.
• Core Impact: On July 1st, Core Impact customers received a new exploit module targeting CVE-2025-25257, a SQL injection vulnerability in Fortinet FortiWeb (versions 7.6.3 and 7.6.2). This module leverages the /api/fabric/device/status endpoint to check for vulnerability, upload a webshell, and execute OS commands. It then uploads and runs a Python script to grant execution permissions to the webshell. Finally, it sends several requests to the webshell to deploy a Core Impact agent. After deployment, it removes both the webshell and the script from the target system to maintain operational security.
• Log: On July 16, 2025, a log analytic was released to detect requests targeting application endpoints commonly associated with reconnaissance activity in chained SQL injection to remote code execution (SQLi→RCE) exploitation, specifically for FortiWeb CVE-2025-25257

Updates

Fortra has kicked off the Emerging Threats process for this vulnerability. This article will be updated with new information about this vulnerability and related security coverage as it becomes available.

• 07/1/2025: Core Impact customers received a new module that exploits CVE-2025-25257 in Fortinet FortiWeb to deploy an agent with root privileges. The module checks for vulnerability, uploads a webshell and script, deploys the agent, and then removes all traces from the target system.
• 07/16/2025: Released a log analytic, to detect reconnaissance related requests exploiting FortiWeb CVE-2025-25257 through chained SQLi→RCE.
• 07/17/2025: Checks for authenticated and unauthenticated scans added and released to Fusion VM.
• 07/23/2025: Tripwire released authenticated and unauthenticated scan coverage to identify vulnerable instances of CVE-2025-25257.
• 08/15/2025: Added mappings for remote scan.