FortiWeb's Pre-Auth SQL Injection Is Being Exploited Right Now
CVE-2025-25257 is a pre-authentication SQL injection in FortiWeb Fabric Connector that enables remote code execution. Actively exploited in the wild with public PoC available. Affects FortiWeb 7.0.x through 7.6.x. CISA KEV listed.
If you're running FortiWeb and haven't patched recently, this is your wake-up call. CVE-2025-25257 is a pre-authentication SQL injection vulnerability that lets attackers execute arbitrary commands on your FortiWeb appliance without ever needing to log in. It's in CISA's Known Exploited Vulnerabilities catalog. Fortinet has confirmed active exploitation in the wild. And as of today, there's a public proof-of-concept on exploit-db making it trivially easy to exploit.
The vulnerability lives in the Fabric Connector API, specifically the /api/fabric/device/status endpoint. The attack is embarrassingly simple: inject SQL through the Authorization header. The PoC is literally a one-liner curl command. No authentication required. No complex exploit chain. Just send a malicious request and watch things happen that shouldn't.
Affected versions span nearly the entire FortiWeb 7.x line: 7.0.0 through 7.0.10, 7.2.0 through 7.2.10, 7.4.0 through 7.4.7, and 7.6.0 through 7.6.3. If you're on any of those versions, you're vulnerable to unauthenticated remote code execution. That's not a theoretical risk — it's an active one.
CISA added this to the KEV catalog back in July 2025 with an August 8th remediation deadline for federal agencies. The fact that we're now in February 2026 and there's still enough unpatched FortiWeb instances out there for exploit-db to be publishing fresh PoCs tells you everything about patch adoption rates.
Fortinet's fix is straightforward: upgrade to 7.0.11, 7.2.11, 7.4.8, or 7.6.4 depending on your branch. If you absolutely cannot patch immediately, disable the HTTP/HTTPS administrative interface as a workaround. That's not a long-term solution, but it'll buy you time.
The broader pattern here is worth noting. Fortinet appliances have had a rough couple of years security-wise. FortiOS, FortiProxy, FortiManager, and now FortiWeb have all had critical vulnerabilities that were actively exploited before or shortly after disclosure. If you're running Fortinet gear, your patch cadence needs to be aggressive. Waiting even a few weeks can mean the difference between "patched in time" and "compromised."
Tags
References
- Fortinet Advisory FG-IR-25-151
https://fortiguard.fortinet.com/psirt/FG-IR-25-151
- NVD Entry
https://nvd.nist.gov/vuln/detail/CVE-2025-25257
- Exploit-DB PoC
https://www.exploit-db.com/exploits/52473
- CISA KEV Catalog
https://www.cisa.gov/known-exploited-vulnerabilities-catalog
Protect Your Organization
Find vulnerabilities like this in your systems before attackers do.
24/7 monitoring to detect and respond to threats like these in real time.
Block phishing and malware delivery targeting your organization.
Map security controls to 26 frameworks including NIST, SOC 2, and HIPAA.