Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2025-25257 PoC — Fortinet FortiWeb SQL注入漏洞

Source
https://github.com/TheStingR/CVE-2025-25257
Associated Vulnerability
Title:Fortinet FortiWeb SQL注入漏洞 (CVE-2025-25257)
Description:Fortinet FortiWeb是美国飞塔(Fortinet)公司的一款Web应用层防火墙,它能够阻断如跨站点脚本、SQL注入、Cookie中毒、schema中毒等攻击的威胁,保证Web应用程序的安全性并保护敏感的数据库内容。 Fortinet FortiWeb 7.6.3及之前版本、7.4.7及之前版本、7.2.10及之前版本和7.0.10之前版本存在SQL注入漏洞,该漏洞源于对SQL命令中特殊元素中和不当,可能导致SQL注入攻击。
Description
Public PoC for CVE-2025-25257: FortiWeb pre-auth SQLi to RCE
Readme
# CVE-2025-25257 - FortiWeb Pre-Auth SQL Injection to RCE

## 07/09/2025 by TheStingR

<div align="center">
  <img src="https://img.shields.io/badge/Language-Python-blue?style=for-the-badge&logo=python&logoColor=white" alt="Language: Python">
  <img src="https://img.shields.io/badge/CVSS-9.6--9.8%20Critical-red?style=for-the-badge" alt="CVSS Score: 9.6-9.8 Critical">
  <img src="https://img.shields.io/badge/Exploit-PoC%20Available-orange?style=for-the-badge" alt="Exploit Status: Proof of Concept Available">
  <img src="https://img.shields.io/badge/CVE_2025_25257-Disclosed-green?style=for-the-badge" alt="CVE Status: CVE-2025-25257 Disclosed">
  <img src="https://img.shields.io/badge/Version-v1.0.0-brightgreen?style=for-the-badge" alt="Version: v1.0.0">
  <img src="https://img.shields.io/badge/Target-FortiWeb-purple?style=for-the-badge" alt="Target Platform: FortiWeb">
</div>

> **Disclaimer:** This proof-of-concept (PoC) is provided for authorized security testing and research purposes only. Unauthorized use against systems you do not own or have explicit permission to test is illegal. Users are responsible for complying with all applicable laws and regulations.

**CVE-2025-25257** is a critical vulnerability in Fortinet FortiWeb, a web application firewall, within its Fabric Connector component. It allows attackers to execute arbitrary system commands without authentication, posing a severe risk of full system compromise.

## Affected Versions

| Version Range | Status |
|---------------------|--------------|
| 7.6.0 – 7.6.3 | Vulnerable |
| 7.4.0 – 7.4.7 | Vulnerable |
| 7.2.0 – 7.2.10 | Vulnerable |
| 7.0.10 and earlier | Vulnerable |

## Vulnerability Overview

This vulnerability stems from insecure handling of the `Authorization: Bearer <token>` HTTP header in the `get_fabric_user_by_token()` function. Due to insufficient input sanitization, attackers can inject malicious SQL commands (SQL Injection, CWE-89).

**Impact:**

- **Authentication Bypass:** Attackers can execute arbitrary SQL queries without credentials.
- **Remote Code Execution (RCE):** Using MySQL's `SELECT ... INTO OUTFILE`, attackers can write malicious files (e.g., webshells or Python scripts) to the server, enabling full system control.

## Download

📥 **[Download Latest Release (v1.0.0)](https://github.com/TheStingR/CVE-2025-25257/releases/tag/v1.0.0)**

**Files included:**

- `CVE-2025-25257.py` - Python exploit script
- `README.md` - Complete documentation
- `exploit_workflow.svg` - Attack workflow diagram

## Exploit Workflow

The exploit follows these steps, as illustrated in the Mermaid diagram below (rendered natively on GitHub) and the static image `exploit_workflow.svg`:

```mermaid
graph TD
    A[Attacker] --> B[Target Endpoint]
    B --> C[SQL Injection]
    C --> D[Webshell Creation]
    D --> E[Command Execution]
    E --> F[System Compromise]
```

<div align="center">
  <img src="exploit_workflow.svg" alt="Exploit Workflow" width="25%">
</div>

1. **SQL Injection:** The attacker sends a crafted HTTP request to the vulnerable `/api/fabric/device/status` endpoint.
1. **File Creation:** The SQL injection writes a webshell (e.g., `webshell.php`) to the server.
1. **Command Execution:** The attacker sends commands via the `User-Agent` header to the webshell, executing arbitrary system commands.

## Why This Is Critical

- **CVSS Score:** 9.6–9.8 (Critical)
- **Unauthenticated Access:** No credentials are required for exploitation.
- **Full System Compromise:** Attackers can gain complete control of the affected FortiWeb device.
- **Active Exploitation:** Public proof-of-concept (PoC) exploits are available and being used in the wild.

## Remediation

| Action | Details |
|-----------------------|-------------------------------------------------------------------------|
| **Patch Immediately** | Upgrade to a fixed version: 7.6.4+, 7.4.8+, 7.2.11+, or 7.0.11+ |
| **Temporary Mitigation** | Restrict or disable HTTP/HTTPS admin interface access |
| **Detection** | - Monitor `Authorization` headers for SQL syntax<br>- Use IDS/IPS to detect SQL injection attempts on `/api/fabric/device/status`<br>- Check for unexpected files (e.g., `.php`, `.py`, or CGI scripts) |

**References:**

- [Fortinet PSIRT Advisory](https://www.fortinet.com/support/product-security) (Check for FG-IR-25-XXX when published)
- Community write-ups: [Exploit-DB](https://www.exploit-db.com/), [HackerOne](https://hackerone.com/)

## PoC Usage (Authorized Testing Only)

**This tool is for authorized security testing and research purposes only. Ensure you have explicit permission to test the target system.**

### Prerequisites

- Python 3.8 or later
- Required libraries: `requests`, `argparse`
- Install dependencies: `pip install requests`

### Usage

```bash
python3 cve_2025_25257.py -t https://target-ip
```

| Option | Description |
|--------------|------------------------------------------------|
| `-t` | Target URL (e.g., `https://target-ip`) |
| `-T` | File containing multiple target URLs |
| `--proxy` | Route traffic through a proxy (e.g., `http://127.0.0.1:8080`) |

**Post-Exploitation:** After successful exploitation, the script outputs the webshell URL (e.g., `https://target-ip/webshell.php`). Commands can be sent to the webshell via the `User-Agent` header using tools like `curl` or a browser.

### Example

```bash
python3 cve_2025_25257.py -t https://192.168.1.100 --proxy http://127.0.0.1:8080
```

**Output:** If successful, the script will display:

```
[+] Webshell deployed at: https://192.168.1.100/webshell.php
[+] Send commands via User-Agent header, e.g., `curl -A "whoami" https://192.168.1.100/webshell.php`
```

## Summary

CVE-2025-25257 is a severe, easily exploitable vulnerability in FortiWeb, enabling unauthenticated attackers to achieve full system control. Immediate patching is critical, and organizations should monitor for signs of exploitation.

**Visual Aids:** The Mermaid diagram above renders natively on GitHub. The static `exploit_workflow.svg` (included in the repository) provides the same workflow for offline viewing or presentations, with scalable vector graphics for high-quality rendering.
File Snapshot

 [4.0K]  /data/pocs/6493292ede5219bf5e17b384012ab5171ec00052
├── [6.9K]  CVE-2025-25257.py
├── [ 12K]  exploit_workflow.svg
└── [6.0K]  README.md

0 directories, 3 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).
    3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.