Back to KEVs

CVE-2025-25257

An improper neutralization of special elements used in an SQL command ('SQL Injection') vulnerability [CWE-89] in Fortinet FortiWeb version 7.6.0...

Basic Information

CVE State: PUBLISHED
Reserved Date: February 05, 2025
Published Date: July 17, 2025
Last Updated: July 30, 2025
Vendor: Fortinet
Product: FortiWeb
Description: An improper neutralization of special elements used in an SQL command ('SQL Injection') vulnerability [CWE-89] in Fortinet FortiWeb version 7.6.0 through 7.6.3, 7.4.0 through 7.4.7, 7.2.0 through 7.2.10 and below 7.0.10 allows an unauthenticated attacker to execute unauthorized SQL code or commands via crafted HTTP or HTTPs requests.
Tags

CVSS Scores

CVSS v3.1

9.6 - CRITICAL

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:F/RL:X/RC:C

EPSS Score

Score: 2.73% (Percentile: 85.35%) as of 2025-07-29

SSVC Information

Exploitation: active
Automatable: Yes
Technical Impact: total

Exploit Status

Exploited in the Wild: Yes (2025-07-16 00:00:00 UTC) Source

References

https://fortiguard.fortinet.com/psirt/FG-IR-25-151

Known Exploited Vulnerability Information

Source	Added Date
The Shadowserver (via CIRCL)	2025-07-17 18:00:17 UTC

Recent Mentions

New Fortinet FortiWeb hacks likely linked to public RCE exploits

Source: BleepingComputer • Published: 2025-07-16 14:58:52 UTC

Multiple Fortinet FortiWeb instances recently infected with web shells are believed to have been compromised using public exploits for a recently patched remote code execution (RCE) flaw tracked as CVE-2025-25257. [...]

Fortinet Releases Patch for Critical SQL Injection Flaw in FortiWeb (CVE-2025-25257)

Source: TheHackerNews • Published: 2025-07-11 14:38:00 UTC

Fortinet has released fixes for a critical security flaw impacting FortiWeb that could enable an unauthenticated attacker to run arbitrary database commands on susceptible instances. Tracked as CVE-2025-25257, the vulnerability carries a CVSS score of 9.6 out of a maximum of 10.0. "An improper neutralization of special elements used in an SQL command ('SQL Injection') vulnerability [CWE-89] in

Pre-Auth SQL Injection to RCE - Fortinet FortiWeb Fabric Connector (CVE-2025-25257)

Source: Watchtower Labs • Published: 2025-07-11 10:12:43 UTC

Welcome back to yet another day in this parallel universe of security.This time, we’re looking at Fortinet’s FortiWeb Fabric Connector. “What is that?” we hear you say. That's a great question; no one knows.For the uninitiated, or unjaded;Fortinet’

CVE-2025-25257: Critical Unauthenticated SQL Injection Vulnerability in FortiWeb

Source: Arctic Wolf • Published: 2025-07-10 20:23:12 UTC

On July 8, 2025, Fortinet released fixes for a critical vulnerability in FortiWeb that could allow an unauthenticated threat actor to execute SQL commands via crafted HTTP or HTTPS requests, tracked as CVE-2025-25257. The flaw lies in the Graphical User Interface (GUI) component and stems from improper neutralization of special elements used in SQL statements. ... CVE-2025-25257: Critical Unauthenticated SQL Injection Vulnerability in FortiWeb

Timeline

CVE ID Reserved

February 05, 2025
CVE Published to Public

July 17, 2025
Added to KEVIntel

July 17, 2025