CRITICAL🚩 CISA KEV⚡ EXPLOIT🇵🇱 Wersja polska

CVE-2025-25257

CVSS 9.8v3.1pub. 2025-07-17upd. 2026-02-20

An improper neutralization of special elements used in an SQL command ('SQL Injection') vulnerability [CWE-89] vulnerability in Fortinet FortiWeb 7.6.0 through 7.6.3, FortiWeb 7.4.0 through 7.4.7, FortiWeb 7.2.0 through 7.2.10, FortiWeb 7.0.0 through 7.0.10 allows an unauthenticated attacker to execute unauthorized SQL code or commands via crafted HTTP or HTTPs requests.

🤖 AI Analysis
How it works

The FortiWeb application improperly neutralizes special characters in input data passed to SQL queries. An attacker can send a crafted HTTP or HTTPS request containing a malicious SQL payload without needing any credentials. The vulnerability allows injection and execution of unauthorized SQL commands directly in the device's database layer.

Impact

An unauthenticated attacker can gain full access to data stored in the database, modify or delete configuration data, and potentially take control of the device — which in the case of a WAF device means compromising the entire protected network infrastructure.

Mitigation & patch

FortiWeb must be immediately updated to a version containing the patch according to the vendor's advisory (FG-IR-25-151) available at https://fortiguard.fortinet.com/psirt/FG-IR-25-151. Until the update is applied, consider restricting access to the device's management interface to trusted IP addresses only.

Who is affected

Fortinet FortiWeb in versions: 7.6.0–7.6.3, 7.4.0–7.4.7, 7.2.0–7.2.10, 7.0.0–7.0.10

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Fortinet Fortiweb

    APP
    Fortinet
    7.0.0 – 7.0.11 (bez)7.2.0 – 7.2.11 (bez)7.4.0 – 7.4.8 (bez)7.6.0 – 7.6.4 (bez)

CISA KEV — detailsi

Vendori
Fortinet
Producti
FortiWeb
Added to KEVi
July 18, 2025
Remediation deadline (US Federal)i
August 8, 2025(overdue)
Required action (CISA)i

Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

CISA descriptioni

Fortinet FortiWeb contains a SQL injection vulnerability that may allow an unauthenticated attacker to execute unauthorized SQL code or commands via crafted HTTP or HTTPs requests.

🔴
IMMEDIATE ACTION
Actively exploited in the wild (CISA KEV). Patch immediately.
CISA DEADLINE: 8 sierpnia 2025
Tags
SQLiAuth Bypass
CWE
References

Related vulnerabilities

CVE-2026-24858CRITICAL9.8⚠ KEVPL ✓ten sam produkt

Fortinet – Auth Bypass przez FortiCloud SSO w wielu produktach

CVE-2025-64446CRITICAL9.8⚠ KEVPL ✓ten sam produkt

Path Traversal w Fortinet FortiWeb umożliwiający zdalne wykonanie poleceń

CVE-2025-59719CRITICAL9.8PL ✓ten sam produkt

Fortinet FortiWeb — pominięcie uwierzytelnienia SSO przez spreparowany SAML

CVE-2023-25610CRITICAL9.8PL ✓ten sam produkt

Buffer Underflow w interfejsie administracyjnym Fortinet FortiOS / FortiProxy — RCE bez uwierzytelnienia

CVE-2021-42761CRITICAL9.0ten sam produkt

A condition for session fixation vulnerability [CWE-384] in the session management of FortiWeb versions 6.4 al...

CVE-2025-25257 — Fortinet — Fortiweb — CRITICAL — CVSS 9.8 | CVEbaza.pl