关联漏洞
标题:
Fortinet FortiWeb SQL注入漏洞
(CVE-2025-25257)
描述:Fortinet FortiWeb是美国飞塔(Fortinet)公司的一款Web应用层防火墙,它能够阻断如跨站点脚本、SQL注入、Cookie中毒、schema中毒等攻击的威胁,保证Web应用程序的安全性并保护敏感的数据库内容。 Fortinet FortiWeb 7.6.3及之前版本、7.4.7及之前版本、7.2.10及之前版本和7.0.10之前版本存在SQL注入漏洞,该漏洞源于对SQL命令中特殊元素中和不当,可能导致SQL注入攻击。
描述
CVE‑2025‑25257 is a critical pre-authentication SQL injection vulnerability affecting Fortinet FortiWeb’s
介绍
# CVE-2025-25257
CVE‑2025‑25257 is a critical pre-authentication SQL injection vulnerability affecting Fortinet FortiWeb’s Fabric Connector component. It impacts FortiWeb versions:
+ 7.6.0–7.6.3
+ 7.4.0–7.4.7
+ 7.2.0–7.2.10
+ ≤ 7.0.10
## Technical Details
The issue resides in the get_fabric_user_by_token() function, which constructs SQL queries using unsanitized user input (the Authorization: Bearer <token> HTTP header). This leads to an SQL injection (CWE‑89) vulnerability
- Attackers can bypass authentication and inject arbitrary SQL commands.
- By exploiting MySQL’s SELECT … INTO OUTFILE, attackers can write malicious .pth files or webshells within the server’s file system (e.g. in Python site‑packages or CGI directories), resulting in remote code execution (RCE)
## Impact
- CVSS score: 9.6–9.8 (Critical)
- The attacker gains unauthenticated access to execute OS-level commands on the affected appliance, potentially leading to full system compromise
- Public Proof-of-Concept (PoC) exploits are available and reportedly being used
## Recommended Mitigations
- Patch Immediately
Upgrade FortiWeb to: 7.6.4+, 7.4.8+, 7.2.11+, or 7.0.11+
- Temporary Mitigation
Disable or restrict access to the HTTP/HTTPS administrative interface until the patch is applied
- Monitor and Detect
+ Inspect logs for suspicious Authorization headers containing SQL syntax.
+ Add IDS/IPS signatures to detect injection patterns in Fabric Connector API calls (especially /api/fabric/device/status).
+ Check the file system (e.g., .pth files in site-packages or unusual CGI scripts like ml-draw.py) for unauthorized deployments
## Summary
CVE‑2025‑25257 is a severe pre-auth SQL injection → RCE chain enabling attackers to implant arbitrary payloads in FortiWeb systems. It’s easy to exploit, widely weaponized, and has a fix available. Applying the vendor patch and enhancing monitoring controls are essential to prevent system compromise.
文件快照
[4.0K] /data/pocs/55794ef736dfa1115b8c32a07d5217b85cea6621
├── [5.2K] CVE-2025-25257.py
└── [2.0K] README.md
0 directories, 2 files
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。