Hash: SHA256

 

Unauthenticated SQL injection in FortiWeb 

 

Indian – Computer Emergency Response Team (https://www.cert-in.org.in)

 

 

 

Severity Rating: CRITICAL

 

Software Affected

 

FortiWeb Versions 7.6.0 through 7.6.3

FortiWeb Versions 7.4.0 through 7.4.7

FortiWeb Versions 7.2.0 through 7.2.10

FortiWeb Versions 7.0.0 through 7.0.10

Overview

 

A vulnerability has been reported in GUI components of FortiWeb which could allow an unauthenticated attacker to execute unauthorized SQL queries on the underlying database.

 

Target Audience:

All organizations and individuals using FortiWeb products.

 

Risk/Impact Assessment:

Unauthorized data access, data loss, or full system compromise.

 

Description

 

Fortinet FortiWeb is a web application firewall designed to protect web-based applications and APIs from threats.

 

This vulnerability exists in the GUI component of FortiWeb due to improper handling of special characters in SQL commands. An attacker could exploit this vulnerability by injecting specially crafted requests on the targeted system.

 

Successful exploitation of this vulnerability could allow an unauthenticated attacker to execute unauthorized SQL queries on the underlying database.

 

Workaround

 

Disable the HTTP/HTTPS administrative interface if not essential, as the vulnerability is present in the GUI web interface.

Solution

 

Apply appropriate updates as provided by the vendor:

https://fortiguard.fortinet.com/psirt/FG-IR-25-151

 

 

Vendor Information

 

Fortinet

https://fortiguard.fortinet.com/psirt/FG-IR-25-151

 

References

 

Fortinet

https://fortiguard.fortinet.com/psirt/FG-IR-25-151

 

CVE Name

CVE-2025-25257

 

 

 

 

 

– – —

Thanks and Regards,

CERT-In

 

Incident Response Help Desk

e-mail: incident@cert-in.org.in

Phone: +91-11-22902657

Toll Free Number: 1800-11-4949

Toll Free Fax : 1800-11-6969

Web: http://www.cert-in.org.in

PGP Fingerprint: A768 083E 4475 5725 B81A A379 2156 C0C0 B620 D0B4

PGP Key information:

https://www.cert-in.org.in/s2cMainServlet?pageid=CONTACTUS

 

Postal address:

Indian Computer Emergency Response Team (CERT-In)

Ministry of Electronics and Information Technology

Government of India

Electronics Niketan

6, C.G.O. Complex

New Delhi-110 003

—–BEGIN PGP SIGNATURE—–

 

iQIzBAEBCAAdFiEE6r4Iam/Ey0c/KakL3jCgcSdcys8FAmh3rrwACgkQ3jCgcSdc

ys+qyA//UYJRzkiGEZvrgl4ruUjlE1PCEldUnl0FUb4AKVp47dW4sw/k281z0dCt

2vQlnA3bMmAecC+dmb0pAZ4HbqgcYBmoXbYTdhPoQLSa1L3jhcL+Okn1cadZVEHY

C9DtZrhagZxKnLMfUxMVfuV0voz9/idaAZf7hBFwu53JPLd9ydcuyYS4D7mthcb2

JaXAUjUAAnZNmtvQDAu6itYVSQEgbej8JVnRN3Q6t01L0hrrnulHZeHH4s1Yhicd

mVorEra7S4HI6Cct9n9MNJLYLPkRXDz5E80ko6nl7K2uXg0Ddf+9m4m2TLrVPgiI

sXwwaaJPefcSOzMrjdb5ZF0CtgkQ50Hq4uhOwaIhn5uo9UJbq8Z+P+gbcd7UA8xL

nQvwHAk/dNX41u3MELEVTqZHGBI8cM/DL8ob1SjhDqzYkbLe3Biv2ZcMvuyQLnSJ

mlnyUCpQGE2ZD+DM0VSXEhA5lmUnn4Idplf5ugqR+jf7zy9woz0r3aYxJu1DJBzq

3qEFYMJG0hjV5yTXqrpirnDGpMYYj0i9witz4DgUKIqNpexrm6QcsKqKPbpn8Y9s

E/8HoqvBnbTV2fSPgobwrqG4RrKh4ed6R4iU7kvfB+r3NpsvSeAp3DVLQzdTGfTe

o9sihd1vDHgCMDQz9AEyVPvUZVLL31Iujh6AJis5JmJTP2iMnEA=

=4KCC

—–END PGP SIGNATURE—–