FortiWeb - Unauthenticated SQL injection in GUI

Created on 2025-07-11 07:02, updated on 2025-07-11 07:03, by Alexandre Dulaunoy
JSON CVE-2025-25257
vulnerability:exploitability=documented

PSIRT | FortiGuard Labs

Unauthenticated SQL injection in GUI

Summary

An improper neutralization of special elements used in an SQL command ('SQL Injection') vulnerability [CWE-89] in FortiWeb may allow an unauthenticated attacker to execute unauthorized SQL code or commands via crafted HTTP or HTTPs requests.

Version Affected Solution
FortiWeb 7.6 7.6.0 through 7.6.3 Upgrade to 7.6.4 or above
FortiWeb 7.4 7.4.0 through 7.4.7 Upgrade to 7.4.8 or above
FortiWeb 7.2 7.2.0 through 7.2.10 Upgrade to 7.2.11 or above
FortiWeb 7.0 7.0.0 through 7.0.10 Upgrade to 7.0.11 or above

Workaround

Disable HTTP/HTTPS administrative interface

Acknowledgement

Fortinet is pleased to thank Kentaro Kawane from GMO Cybersecurity by Ierae for reporting this vulnerability under responsible disclosure.

Timeline

2025-07-08: Initial publication

Ref: https://fortiguard.fortinet.com/psirt/FG-IR-25-151

Meta
[
  {
    "tags": [
      "vulnerability:exploitability=documented"
    ]
  }
]