Patch Immediately: CVE-2025-25257 PoC Enables Remote Code Execution on Fortinet FortiWeb

A critical vulnerability has been discovered in Fortinet's FortiWeb security solution, allowing unauthenticated attackers to execute unauthorized SQL commands via crafted HTTP/HTTPS requests. The Proof-of-Concept (PoC) exploits for CVE-2025-25257, rated as high severity by the Common Vulnerability Scoring System (CVSS), enable pre-authenticated remote code execution on vulnerable servers.

The vulnerability is attributed to a SQL injection flaw in FortiWeb, specifically due to an improper neutralization of special elements used in SQL commands. This enables attackers to inject malicious SQL code via crafted requests, which can be executed without authentication.

Avoiding the Flaw: A Look at the Vulnerability

The vulnerability is related to CWE-89, a common web application security flaw that allows unauthenticated attackers to execute unauthorized SQL code or commands. According to Fortinet's advisory, the issue arises from an improper neutralization of special elements used in SQL commands.

The Discovery and Analysis Process

Kentaro Kawane from GMO Cybersecurity reported this vulnerability under responsible disclosure. WatchTowr researchers conducted a binary diffing comparison of Fortinet's httpsd service between versions 7.6.3 and 7.6.4 to identify the specific changes introduced in the new version that addressed the issue.

The researchers discovered the unauthenticated SQL injection vulnerability by exploring how to escalate it from remote code execution. They found an existing Python script (ml-draw.py) in the CGI directory, executed by Apache via /bin/python, which they leveraged to execute arbitrary code using a lesser-known Python feature: .pth files.

Exploiting the Vulnerability

The researchers used a combination of techniques to bypass file size limits and path constraints in INTO OUTFILE. They employed a relative file path and extracted payload chunks from the database itself to successfully execute code via a crafted .pth file that ran their desired Python code when the CGI script was triggered.

A Detection Artifact Generator for FortiWeb CVE-2025-25257

WatchTowr researchers created a Detection Artifact Generator for FortiWeb CVE-2025-25257, which is available here. This tool can help administrators detect and identify vulnerable systems more efficiently.

Patching the Vulnerability

Fortinet has released security patches in versions 7.6.4, 7.4.8, 7.2.11, and 7.0.11 to address the issue. It is strongly advised that administrators apply these patches immediately due to the availability of public exploits.

While there's no evidence of active exploitation yet, this is expected to change soon. We urge all Fortinet FortiWeb users to take immediate action to patch their systems and protect against potential attacks.

Stay informed about the latest security updates by following us on Twitter: @securityaffairs, Facebook, and Mastodon.