Proof-of-concept exploits have been launched for a important SQLi vulnerability in Fortinet FortiWeb that can be utilized to obtain pre-authenticated distant code execution on susceptible servers.
FortiWeb is an internet software firewall (WAF), which is used to guard internet functions from malicious HTTP visitors and threats.
The FortiWeb vulnerability has a 9.8/10 severity rating and is tracked as CVE-2025-25257. Fortinet fastened it final week in FortiWeb 7.6.4, 7.4.8, 7.2.11, and seven.0.11 and later variations.
“An improper neutralization of particular components utilized in an SQL command (‘SQL Injection’) vulnerability [CWE-89] in FortiWeb could permit an unauthenticated attacker to execute unauthorized SQL code or instructions through crafted HTTP or HTTPs requests,” reads Fortinet’s advisory.
The flaw was found by Kentaro Kawane from GMO Cybersecurity, who additionally disclosed a static hardcoded password vulnerability in Cisco ISE final month.
FortiWeb pre-auth SQLi to pre-auth RCE
At this time, cybersecurity agency WatchTowr and a safety researcher often called “defective *ptrrr” launched technical write-ups and proof-of-concept exploits that open reverse shells or an internet shell.
The flaw is present in FortiWeb’s Cloth Connector, which is software program that synchronizes authentication and coverage knowledge between Fortinet merchandise.
The software program accommodates an unauthenticated SQL injection flaw within the get_fabric_user_by_token() operate, which makes use of the next code to situation a MySQL question:
snprintf(s, 0x400u, "choose id from fabric_user.user_table the place token='%s'", a1);
This code didn’t correctly sanitize the bearer token despatched in HTTP request headers, permitting attackers to inject customized SQL into the header to attain SQLi.
Attackers can set off the flaw by way of HTTP requests to the /api/material/system/standing endpoint by injecting SQL into the Authorization header (e.g., Bearer AAAAAA'or'1'='1), permitting attackers to bypass authentication checks.
The researchers had been capable of escalate the SQL injection to distant code execution by executing MySQL’s SELECT … INTO OUTFILE question through the SQLi flaw to create arbitrary recordsdata on the system. This allowed them to jot down a Python .pth file into the positioning‑packages listing.
As .pth recordsdata are mechanically loaded and run when Python is executed, the researchers discovered a legit FortiWeb CGI Python script (/cgi-bin/ml‑draw.py) that may very well be used to launch the malicious code within the .pth file and obtain distant code execution.
As exploits at the moment are public and broadly out there, it’s strongly suggested that admins prioritize putting in the patches to forestall servers from being compromised.
Right now, there isn’t a indication that the vulnerability is being actively exploited, however this can doubtless change within the close to future.
Whereas cloud assaults could also be rising extra subtle, attackers nonetheless succeed with surprisingly easy strategies.
Drawing from Wiz’s detections throughout hundreds of organizations, this report reveals 8 key strategies utilized by cloud-fluent menace actors.
