CVE-2025-25257 Vulnerability: Critical SQL Injection in Fortinet FortiWeb Enables Unauthenticated Remote Code Execution
Following the recent disclosure of CVE-2025-47981, a critical heap-based buffer overflow in Windows SPNEGO Extended Negotiation, security teams now face another major threat, this time affecting Fortinet’s FortiWeb web application firewall. Designated as CVE-2025-25257 and assigned a CVSS score of 9.6, this vulnerability is an unauthenticated SQL injection flaw that allows attackers to execute arbitrary SQL commands via specially crafted HTTP or HTTPS requests.
Exploitation of vulnerabilities continues to be a leading method for attackers to gain an initial foothold within the targeted network. In 2025, such activity increased by 34% compared to the previous year, contributing to a significant rise in security breaches. With proof-of-concept (PoC) code for CVE-2025-25257 already circulating online, early detection of exploitation attempts is critical. To respond effectively, security teams require curated detection content and relevant security tooling to keep pace with today’s aggressive threat landscape.
Register for the SOC Prime Platform to access the global active threats feed, which offers real-time cyber threat intelligence and curated detection algorithms backed by a complete product suite for AI-powered detection engineering, automated threat hunting, and advanced threat detection. All the rules are compatible with multiple SIEM, EDR, and Data Lake formats and mapped to the MITRE ATT&CK® framework. Additionally, each rule is enriched with CTI links, attack timelines, audit configurations, triage recommendations, and more relevant context. Press the Explore Detections button to see the entire detection stack for proactive defense against critical vulnerabilities filtered by the “CVE” tag.
Security engineers can also leverage Uncoder AI—a private, non-agentic AI purpose-built for threat-informed detection engineering. With Uncoder, defenders can automatically convert IOCs into actionable hunting queries, craft detection rules from raw threat reports, enable ATT&CK tags prediction, leverage AI-driven query optimization, and translate detection content across multiple platforms.
CVE-2025-25257 Analysis
According to Fortinet’s advisory, the CVE-2025-25257 vulnerability stems from the improper neutralization of special elements used in SQL statements. This allows an unauthenticated attacker to execute unauthorized SQL commands through crafted HTTP or HTTPS requests. In a recent analysis by watchTowr Labs, researchers point to a function called get_fabric_user_by_token as the root cause. This function is part of the Fabric Connector component, which serves as a bridge between FortiWeb and other Fortinet products.
The vulnerability occurs because attacker-controlled input—delivered through a crafted HTTP request—is passed directly into an SQL query without sufficient sanitization. This lack of input validation allows malicious SQL code to be injected and executed. Moreover, the attack can escalate to remote code execution by using a SELECT … INTO OUTFILE statement to write a malicious payload to the file system. Since the SQL query is executed under the “mysql” user, the attacker can drop a file onto the underlying operating system and potentially execute it via Python.
According to Fortinet, several FortiWeb versions are affected by CVE-2025-25257, and users are strongly advised to apply patches as soon as possible. The vulnerable versions include FortiWeb 7.6.0 through 7.6.3, which should be updated to 7.6.4 or later; FortiWeb 7.4.0 through 7.4.7, which requires an upgrade to 7.4.8 or later; FortiWeb 7.2.0 through 7.2.10, which should be updated to 7.2.11 or later; and FortiWeb 7.0.0 through 7.0.10, which must be upgraded to 7.0.11 or later.
As a temporary workaround, Fortinet recommends disabling the HTTP/HTTPS administrative interface until the appropriate patches can be applied.
To proactively manage the growing attack surface, organizations can rely on the SOC Prime Platform, offering the world’s largest detection rule marketplace, threat hunting & detection engineering automation, AI-native threat intelligence, and more capabilities to transform your SOC. By leveraging SOC Prime’s complete product suite, security teams can effectively minimize the risks of vulnerability exploitation and other emerging threats they anticipate most.
