Fortinet FortiWeb continues to face a remote attack vulnerability without authentication - CVE‑2025‑25257

Overview

Recently, a highly critical vulnerability was reported by Fortinet with the identifier: CVE‑2025‑25257. A public proof of concept (PoC) has been released online, posing significant risks to Fortinet products. This vulnerability allows hackers to execute remote code without authentication (pre-auth RCE).

Once they have the ability to write to the system file, hackers can:

• Deploy a permanent backdoor

• Alter WAF configurations

• Disrupt or redirect the traffic of the protected application

Vulnerability Description

• Vulnerability ID: CVE‑2025‑25257

• CVSS Score: 9.6/10, indicating an extremely critical level

• Affected Versions: This vulnerability affects most 7.x.x versions

  • FortiWeb 7.0.0 to 7.0.10

  • FortiWeb 7.2.0 to 7.2.10

  • FortiWeb 7.4.0 to 7.4.7

  • FortiWeb 7.6.0 to 7.6.3

• Attack Mechanism: An attacker can perform Remote Code Execution without authentication (pre-auth) through the API /api/fabric/device/status, which is extremely dangerous if the device is publicly accessible on the Internet.

• Consequences: Successful exploitation of the vulnerability can allow an attacker to fully control the WAF.

Vulnerability Details

As mentioned above, this vulnerability involves an unauthenticated SQL Injection (CWE‑89) on the Fabric Connector endpoint. Therefore, the attacker will first initialize the SQLInjection class and proceed to send SQL payloads in the Bearer header.

In cases where the payloads return 200 or the server returns HTTP 401 (authentication error but no SQL syntax error), it means further exploitation steps can continue for escalation.

After confirming that SQL Injection payloads can be executed, the attacker proceeds to exploit RCE—this is a part of RCE inherited from SQLInjection. Here, the attacker will create the table fabric_user.a to store webshell data and write each shell component into the table..

Then the attacker will write everything and output it as an executable shell file x.cgi.

Then a Python script will be run by FortiWeb when the CGI is triggered. This is a "gadget to perform chmod +x and erase traces" during execution to make it harder for investigators to detect. The script will be placed in the FortiWeb directory, which will automatically execute it.

Finally, the attacker will send commands to the shell via HTTP through the User-Agent header. Since MySQL runs with root privileges, the exploit can write files anywhere. Naturally, if the web shell or script runs as root, the attacker will gain full control of the system.

Conclusion

CVE‑2025‑25257 is a very serious vulnerability where an attacker can perform remote code execution before authentication, allowing full control of the WAF system. More dangerously, a POC is already available online, which means the risk of individuals or organizations being actively exploited is high.

Admins must prioritize patching the system immediately and implement mitigation measures if patching is not possible right away. Protecting the WAF not only safeguards the application but also your entire network infrastructure.

Recommendations

1. Software Update (Patching) – MANDATORY

• Update FortiWeb immediately to one of the patched versions:

  • 7.0.11

  • 7.2.11

  • 7.4.8

  • 7.6.4

• Software update link: Updating the firmware | FortiWeb 7.6.4 | Fortinet Document Library

2. Temporary measures if patching is not possible immediately

• Disable the HTTP/HTTPS management interface to block "pre-auth" access to the endpoint /api/fabric/device/status.

• Use a firewall to block public IPs from accessing the Fabric API.

References

1. Fortinet Releases Patch for Critical SQL Injection Flaw in FortiWeb (CVE-2025-25257)

2. FortiWeb Pre-Auth RCE (CVE-2025-25257)

3. Fortinet Releases Patch for Critical SQL Injection Flaw in FortiWeb (CVE-2025-25257)