Fortinet Critical SQL Injection Flaw

Fortinet has released a patch to address a critical SQL injection vulnerability in its FortiWeb product, identified as CVE-2025-25257 with a CVSS score of 9.6. This flaw, found in the Fabric Connector component, allows unauthenticated attackers to execute arbitrary database commands through crafted HTTP or HTTPS requests, posing a severe risk to database security. Affected versions include FortiWeb 7.0.0 to 7.0.10, 7.2.0 to 7.2.10, 7.4.0 to 7.4.7, and 7.6.0 to 7.6.3, with upgrades recommended to versions 7.0.11, 7.2.11, 7.4.8, or 7.6.4 to mitigate the issue. The vulnerability was discovered by Kentaro Kawane of GMO Cybersecurity, and watchTowr Labs noted its roots in the "get_fabric_user_by_token" function.

Given the history of threat actors exploiting Fortinet device vulnerabilities, immediate patching is critical to prevent potential attacks. The advisory emphasizes the urgency of updating to the latest versions to protect against unauthorized access and data breaches. Fortinet’s proactive response aims to secure susceptible instances, and users are encouraged to apply the patches promptly to safeguard their systems.

Until the fix is deployed, it is recommended to disable HTTP & HTTPS administrative interface.

For further information about this vulnerability you can read more about it here.

If you require assistance addressing this vulnerability, Contact Us and we will be happy to help address this for you!