Fortinet Releases Patch for Critical SQL Injection Flaw in FortiWeb (CVE-2025-25257)

Fortinet has released fixes for a critical security flaw impacting FortiWeb that could enable an unauthenticated attacker to run arbitrary database commands on susceptible instances. Tracked as CVE-2025-25257, the vulnerability carries a CVSS score of 9.6 out of a maximum of 10.0. "An improper neutralization of special elements used in an SQL command ('SQL Injection') vulnerability [CWE-89] in FortiWeb may allow an unauthenticated attacker to execute unauthorized SQL code or commands via crafted HTTP or HTTPs requests," Fortinet said in an advisory released this week. The shortcoming impacts the following versions – FortiWeb 7.6.0 through 7.6.3 (Upgrade to 7.6.4 or above) FortiWeb 7.4.0 through 7.4.7 (Upgrade to 7.4.8 or above) FortiWeb 7.2.0 through 7.2.10 (Upgrade to 7.2.11 or above) FortiWeb 7.0.0 through 7.0.10 (Upgrade to 7.0.11 or above) Kentaro Kawane from GMO Cybersecurity, who was recently credited with reporting a set of critical flaws in Cisco Identity Services and ISE Passive Identity Connector (CVE-2025-20286, CVE-2025-20281, and CVE-2025-20282), has acknowledged for discovering the issue. In an analysis published today, watchTowr Labs said the problem is rooted in a function called "get_fabric_user_by_token" that's associated with the Fabric Connector component, which acts as a bridge between FortiWeb and other Fortinet products. The function, in turn, is invoked from another function named "fabric_access_check," that's called from three different API…Read More