A severe pre-authentication SQL injection vulnerability in Fortinet's FortiWeb Fabric Connector has been discovered, allowing attackers to achieve full remote code execution without any user credentials.
The flaw, tracked as CVE-2025-25257, affects multiple versions of FortiWeb and represents a significant security risk for organizations relying on Fortinet's web application firewall technology.
The vulnerability stems from improper input sanitization in the FortiWeb Fabric Connector's authentication mechanism. Security researchers found that the get_fabric_user_by_token function directly concatenates user-supplied input from HTTP Authorization headers into SQL queries without proper escaping or validation.
This classic SQL injection flaw occurs when processing authentication tokens sent via the "Bearer" authorization scheme.
The Fabric Connector serves as integration middleware between FortiWeb and other Fortinet security products like FortiGate firewalls and FortiManager.
It enables dynamic policy updates and threat intelligence sharing across the security ecosystem. The vulnerable endpoint /api/fabric/device/status can be exploited by sending specially crafted HTTP requests with malicious SQL payloads in the Authorization header.
What makes this vulnerability particularly dangerous is its escalation potential. Researchers demonstrated that the MySQL service runs with root privileges, enabling attackers to write arbitrary files to the filesystem using MySQL's INTO OUTFILE command. By leveraging Python's site-packages configuration hooks and existing CGI scripts, attackers can achieve full remote code execution on the target system.
The affected versions span multiple FortiWeb releases: 7.6.0 through 7.6.3, 7.4.0 through 7.4.7, 7.2.0 through 7.2.10, and 7.0.0 through 7.0.10. Fortinet has released patches addressing the vulnerability by replacing vulnerable string formatting with prepared statements.
Organizations using affected FortiWeb versions should immediately upgrade to the latest patched releases (7.6.4, 7.4.8, 7.2.11, or 7.0.11, respectively). Network administrators should also review access controls for Fabric Connector endpoints and monitor for suspicious authentication attempts containing SQL injection patterns.