CVE-2025-25257 PoC — Fortinet FortiWeb SQL注入漏洞

Source

https://github.com/mrmtwoj/CVE-2025-25257

Associated Vulnerability

Title:Fortinet FortiWeb SQL注入漏洞 (CVE-2025-25257)
Description:Fortinet FortiWeb是美国飞塔（Fortinet）公司的一款Web应用层防火墙，它能够阻断如跨站点脚本、SQL注入、Cookie中毒、schema中毒等攻击的威胁，保证Web应用程序的安全性并保护敏感的数据库内容。 Fortinet FortiWeb 7.6.3及之前版本、7.4.7及之前版本、7.2.10及之前版本和7.0.10之前版本存在SQL注入漏洞，该漏洞源于对SQL命令中特殊元素中和不当，可能导致SQL注入攻击。

Description

CVE‑2025‑25257 is a critical pre-authentication SQL injection vulnerability affecting Fortinet FortiWeb’s

Readme

![Book Cover](https://m.media-amazon.com/images/I/51J88WafNFL._AC_SX679_.jpg)

# CVE-2025-25257
CVE‑2025‑25257 is a critical pre-authentication SQL injection vulnerability affecting Fortinet FortiWeb’s Fabric Connector component. It impacts FortiWeb versions:
+ 7.6.0–7.6.3
+ 7.4.0–7.4.7
+ 7.2.0–7.2.10
+ ≤ 7.0.10

## Technical Details
The issue resides in the get_fabric_user_by_token() function, which constructs SQL queries using unsanitized user input (the Authorization: Bearer <token> HTTP header). This leads to an SQL injection (CWE‑89) vulnerability
- Attackers can bypass authentication and inject arbitrary SQL commands.
- By exploiting MySQL’s SELECT … INTO OUTFILE, attackers can write malicious .pth files or webshells within the server’s file system (e.g. in Python site‑packages or CGI directories), resulting in remote code execution (RCE)

## Impact
- CVSS score: 9.6–9.8 (Critical)
- The attacker gains unauthenticated access to execute OS-level commands on the affected appliance, potentially leading to full system compromise
- Public Proof-of-Concept (PoC) exploits are available and reportedly being used

## Recommended Mitigations
- Patch Immediately
Upgrade FortiWeb to: 7.6.4+, 7.4.8+, 7.2.11+, or 7.0.11+
- Temporary Mitigation
Disable or restrict access to the HTTP/HTTPS administrative interface until the patch is applied
- Monitor and Detect
+ Inspect logs for suspicious Authorization headers containing SQL syntax.
+ Add IDS/IPS signatures to detect injection patterns in Fabric Connector API calls (especially /api/fabric/device/status).
+ Check the file system (e.g., .pth files in site-packages or unusual CGI scripts like ml-draw.py) for unauthorized deployments

## Summary
CVE‑2025‑25257 is a severe pre-auth SQL injection → RCE chain enabling attackers to implant arbitrary payloads in FortiWeb systems. It’s easy to exploit, widely weaponized, and has a fix available. Applying the vendor patch and enhancing monitoring controls are essential to prevent system compromise.

File Snapshot


 [4.0K]  /data/pocs/55794ef736dfa1115b8c32a07d5217b85cea6621
├── [5.2K]  CVE-2025-25257.py
└── [2.0K]  README.md

0 directories, 2 files

Shenlong Bot has cached this for you

Remarks

1. It is advised to access via the original source first.

2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).

3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.

Goal Reached Thanks to every supporter — we hit 100%!