CVE-2025-25257

What is Fortinet FortiWeb?

Fortinet FortiWeb is a Web Application Firewall (WAF) appliance used by enterprises and government agencies to protect web applications from attacks by inspecting and filtering HTTP/HTTPS traffic. As noted for CVE-2025-64446, FortiWeb's perimeter position and privileged access to web application traffic make it a recurring target. CVE-2025-25257 is a distinct SQL injection vulnerability (not to be confused with CVE-2025-64446's path traversal), targeting a different component of FortiWeb's internal functionality.

Overview

CVE-2025-25257 is a critical SQL injection vulnerability (CWE-89, CVSS 9.8) in Fortinet FortiWeb's Fabric Connector component. The get_fabric_user_by_token() function processes HTTP requests to /api/fabric/device/status and uses the Authorization header's Bearer token value directly in an SQL query without parameterization or sanitization. An unauthenticated attacker injects SQL commands via a crafted Bearer token, which can be chained to achieve OS-level command execution as root. Public exploit code appeared on Exploit-DB and GitHub; Shadowserver Foundation observed active exploitation 3 days before the Fortinet advisory was published, and CISA added the CVE to the KEV catalog one day after the advisory.

Affected Versions

Technical Details

The vulnerability (CWE-89: SQL Injection) is in FortiWeb's Fabric Connector API handler. The get_fabric_user_by_token() function processes incoming HTTP requests to the /api/fabric/device/status endpoint. It extracts the Bearer token from the Authorization header and uses it directly in an SQL query — without parameterization, escaping, or input validation. An attacker sends a crafted request with a malicious Bearer token value containing SQL injection payloads.

The SQL injection enables:

1. Data exfiltration: reading arbitrary data from the FortiWeb database (user credentials, configuration, certificates)
2. SQL command chaining: using SQL's UNION or stacked queries to reach OS-level functionality — e.g., SQLite's load_extension() or PostgreSQL's COPY TO/FROM PROGRAM (depending on the database engine)
3. Full RCE as root: the chained SQL injection ultimately executes arbitrary OS commands with root privileges

A public PoC exploit was published on Exploit-DB (entry 52473) and demonstrated full RCE. The vulnerability is reachable without authentication — the Fabric Connector API accepts unauthenticated requests.

Discovery

Discovered by Kentaro Kawane of GMO Cybersecurity (Japan), who reported it to Fortinet.

Exploitation Context

Shadowserver Foundation detected active in-the-wild exploitation beginning 11 July 2025 — three days before Fortinet's advisory was published on 14 July 2025, indicating exploitation may have begun very rapidly after a PoC became available, or that attackers had prior knowledge. Multiple compromised FortiWeb hosts were confirmed within days of PoC release. CISA added CVE-2025-25257 to the KEV catalog on 18 July 2025, one day after CVE publication, with a 21-day federal remediation deadline. No specific named threat actor has been publicly attributed.

Remediation

1. Upgrade FortiWeb immediately to 7.0.11+, 7.2.11+, 7.4.8+, or 7.6.4+ (matching your branch).
2. Restrict Fabric Connector API access: if Fortinet Fabric integration is not required, disable the Fabric Connector feature in FortiWeb's administration console. Apply network firewall rules to limit access to the FortiWeb management interface.
3. Review FortiWeb logs for unexpected requests to /api/fabric/device/status from external or unexpected IP addresses, particularly with anomalous Authorization header values.
4. Check for compromise indicators: if exploitation occurred, review the FortiWeb configuration for unauthorized changes — new admin accounts, modified protection policies, certificate extraction.
5. Audit downstream protected applications for signs of policy manipulation or traffic interception that may have been enabled by a compromised WAF.