Patch Now: FortiWeb Pre-Auth RCE Exploits Released
▼ Summary
– A critical SQL injection vulnerability (CVE-2025-25257, severity 9.8/10) in Fortinet FortiWeb allows pre-authenticated remote code execution via crafted HTTP/HTTPS requests.
– Fortinet patched the flaw in FortiWeb versions 7.6.4, 7.4.8, 7.2.11, and 7.0.11, urging admins to update immediately due to public proof-of-concept exploits.
– The vulnerability stems from improper SQL query sanitization in the `get_fabric_user_by_token()` function, enabling attackers to inject malicious SQL via the Authorization header.
– Researchers demonstrated how to escalate the SQL injection to RCE by writing malicious Python files via MySQL’s `INTO OUTFILE` and exploiting a legitimate CGI script.
– While no active exploitation has been reported yet, the availability of public exploits increases the risk of attacks in the near future.
A critical vulnerability in Fortinet’s FortiWeb web application firewall (WAF) now has publicly available exploits, putting unpatched systems at immediate risk of remote code execution attacks. Security teams must act quickly to apply updates before attackers weaponize these proof-of-concept tools.
The flaw, tracked as CVE-2025-25257, carries a maximum severity rating of 9.8/10 due to its potential for exploitation without authentication. Fortinet addressed the issue in recent updates, including versions 7.6.4, 7.4.8, 7.2.11, and 7.0.11. The vulnerability stems from improper SQL query sanitization, allowing attackers to inject malicious commands through manipulated HTTP requests.
Discovered by researcher Kentaro Kawane, the weakness lies in FortiWeb’s Fabric Connector, a component responsible for synchronizing authentication data across Fortinet products. Attackers can exploit it by sending specially crafted requests to the /api/fabric/device/status endpoint, injecting SQL payloads via the Authorization header. This bypasses authentication entirely, granting unauthorized access to backend systems.
Security firms WatchTowr and independent researcher “faulty *ptrrr” have since demonstrated how this SQL injection flaw can be escalated to full remote code execution (RCE). By leveraging MySQL’s SELECT … INTO OUTFILE command, attackers can write arbitrary files, including malicious Python scripts, onto vulnerable servers. One particularly dangerous method involves planting a .pth file in Python’s site-packages directory, which automatically executes when triggered by legitimate FortiWeb processes.
With working exploits now circulating, organizations running outdated FortiWeb versions face heightened risks. While no active attacks have been reported yet, threat actors often move swiftly once proof-of-concept code becomes available. Administrators should immediately verify their deployments and apply the latest patches to mitigate exposure. Delaying updates could leave networks vulnerable to data theft, ransomware, or further system compromise.
Fortinet has a history of addressing critical vulnerabilities, but as with any security product, timely patching remains essential. Given FortiWeb’s role in protecting web applications, unpatched instances could serve as gateways for broader network intrusions. Proactive measures, such as monitoring for suspicious SQL queries or unexpected file modifications, can help detect attempted exploits before damage occurs.
The public release of these exploits underscores the importance of zero-day preparedness. Organizations should prioritize vulnerability management programs that include rapid patch deployment, network segmentation, and continuous threat monitoring to defend against emerging attack vectors.
(Source: Bleeping Computer)
