Overview
Fortinet FortiWeb contains a critical SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL commands through crafted HTTP/HTTPS requests. The vulnerability affects multiple versions across the 7.x and earlier releases, posing a severe risk to web application firewall deployments that are exposed to untrusted networks. The vulnerability was disclosed on July 17, 2025. CISA has identified CVE-2025-25257 as being exploited but is not currently known to be used in ransomware campaigns.
Technical details
Fortinet FortiWeb versions 7.6.0-7.6.3, 7.4.0-7.4.7, 7.2.0-7.2.10, and all versions below 7.0.10 are vulnerable to SQL injection attacks. The vulnerability stems from improper neutralization of special elements in SQL commands within the web application. An attacker can craft malicious HTTP or HTTPS requests containing SQL injection payloads that bypass input validation and are directly executed by the backend database. Since authentication is not required to exploit this vulnerability, any attacker with network access to the FortiWeb instance can execute unauthorized SQL commands.
The vulnerability is classified as CWE-89 (Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')) andCWE-20 (Improper Input Validation) .
The vulnerability has received a CVSS v3.1 base score of 9.8 (CRITICAL) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, indicating its critical nature.
Impact
An unauthenticated attacker can exploit this SQL injection vulnerability to: (1) Extract sensitive data from the FortiWeb database including configuration, credentials, logs, and policy information; (2) Modify or delete database records, potentially compromising the integrity of security policies and configurations; (3) Execute system commands with database privileges, potentially leading to remote code execution; (4) Cause denial of service by executing resource-intensive queries or corrupting critical database structures. As FortiWeb is a critical web application firewall, compromise of this component could allow attackers to bypass security controls and gain unauthorized access to protected web applications.
Mitigation and workarounds
1. Backup current FortiWeb configuration and database 2. Download the latest patched version from Fortinet Support Portal (requires valid support contract) 3. For FortiWeb 7.6.x: Upgrade to 7.6.4 or later 4. For FortiWeb 7.4.x: Upgrade to 7.4.8 or later 5. For FortiWeb 7.2.x: Upgrade to 7.2.11 or later 6. For FortiWeb below 7.0.10: Upgrade to 7.0.10 or later 7. Follow Fortinet's upgrade procedure for your deployment model (standalone, high availability, or cloud) 8. Verify patch installation and test functionality in staging environment first 9. Monitor logs for any suspicious activity post-patch The following versions include the necessary fixes: FortiWeb 7.6.4 and later, FortiWeb 7.4.8 and later, FortiWeb 7.2.11 and later, FortiWeb 7.0.10 and later.
As temporary workarounds: implement network-level access controls to restrict access to fortiweb management and application interfaces to trusted ip addresses only. use firewall rules to limit http/https traffic to known legitimate sources.; disable unnecessary fortiweb features and endpoints that are not required for your deployment. review and minimize exposed interfaces.; monitor fortiweb logs and database access patterns for unusual sql queries, authentication failures, or suspicious command patterns. set up alerts for anomalous activity., and if possible, isolate fortiweb from production networks and place it in a dmz with limited lateral movement capabilities..
CISA's recommendation: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Additional resources
Source: This report was generated using AI
