Updated:
Status:
CVEs:
Fortra is actively researching a critical unauthenticated SQL injection vulnerability affecting FortiWeb products identified as CVE-2025-25257. This vulnerability allows remote attackers to execute arbitrary SQL commands via crafted HTTP(s) requests without authentication, potentially resulting in full system compromise.
Who is affected?
The following FortiWeb versions are affected by these vulnerabilities.
- FortiWeb 7.6.0 through 7.6.3
- FortiWeb 7.4.0 through 7.4.7
- FortiWeb 7.2.0 through 7.2.10
- FortiWeb 7.0.0 through 7.0.10
For a detailed list, please refer to the vendor’s official advisory: PSIRT | FortiGuard Labs
What can I do?
Customers are advised to update to the latest versions to mitigate this vulnerability:
- Upgrade FortiWeb 7.6 to 7.6.4 or later
- Upgrade FortiWeb 7.4 to 7.4.8 or later
- Upgrade FortiWeb 7.2 to 7.2.11 or later
- Upgrade FortiWeb 7.0 to 7.0.11 or later
How is Fortra helping me?
Fortra is actively researching this threat to build detection capabilities.
Updates
Fortra has kicked off the Emerging Threats process for this vulnerability. This article will be updated with new information about this vulnerability and related security coverage as it becomes available.
