Fortinet FortiWeb, unauthenticated SQL injection leading to remote code execution
An improper neutralization of special elements used in an SQL command (SQL injection) vulnerability in Fortinet FortiWeb allows a remote, unauthenticated attacker to execute unauthorized SQL commands via crafted HTTP or HTTPS requests. The injection point is reachable pre-authentication and has been demonstrated to escalate to remote code execution. Public proof-of-concept exploits are available and CISA has confirmed active exploitation.
Overview
CVE-2025-25257 is a critical pre-authentication SQL injection in Fortinet FortiWeb, the vendor's web application firewall. It allows a remote, unauthenticated attacker to inject arbitrary SQL through crafted HTTP or HTTPS requests, and researchers quickly chained the primitive into full remote code execution on the appliance. Fortinet published advisory FG-IR-25-151 and the bug carries an NVD CVSS 3.1 base score of 9.8 (Fortinet's own score is 9.6). Within days of disclosure, working exploits appeared on Exploit-DB and GitHub, and CISA added the CVE to its Known Exploited Vulnerabilities catalog on 18 July 2025. Internet-exposed FortiWeb management interfaces are the primary target.
Technical Details
The flaw is an improper neutralization of special elements in an SQL command (CWE-89). A request parameter handled by an unauthenticated endpoint is concatenated into a SQL statement without proper sanitization or parameterization, letting an attacker manipulate the query. Because the database service runs with high privilege on the appliance, attackers leverage SQL features such as writing files to disk to drop a payload and achieve code execution, turning a data-layer injection into operating-system control. The published proof-of-concept demonstrates the path from anonymous HTTP request to a shell.
Impact
- Unauthenticated SQL injection against an internet-facing security appliance
- Escalation to remote code execution and full appliance compromise
- Exposure and modification of the FortiWeb configuration and protected-application data
- Use of the WAF as a foothold to attack the web applications it is meant to defend
Mitigation
- Upgrade FortiWeb 7.6 to 7.6.4 or above.
- Upgrade FortiWeb 7.4 to 7.4.8 or above.
- Upgrade FortiWeb 7.2 to 7.2.11 or above.
- Upgrade FortiWeb 7.0 to 7.0.11 or above.
- As an interim workaround, disable the HTTP/HTTPS administrative interface on the appliance to remove the attack surface until the upgrade is applied.
Detection
- CISA added CVE-2025-25257 to the KEV catalog on 18 July 2025 with a remediation due date of 8 August 2025.
- Review FortiWeb HTTP/HTTPS access logs for anomalous requests to administrative endpoints containing SQL syntax or unusual parameter content.
- Look for unexpected files written to the appliance filesystem and for new or modified administrator accounts.
- Public proof-of-concept code (Exploit-DB ID 52473 and related GitHub repositories) can be used to build detection signatures for the specific request pattern.