Proof-of-concept exploits have been launched for a crucial SQLi vulnerability in Fortinet FortiWeb that can be utilized to obtain pre-authenticated distant code execution on susceptible servers.
FortiWeb is an online utility firewall (WAF), which is used to guard internet functions from malicious HTTP visitors and threats.
The FortiWeb vulnerability has a 9.8/10 severity rating and is tracked as CVE-2025-25257. Fortinet fastened it final week in FortiWeb 7.6.4, 7.4.8, 7.2.11, and seven.0.11 and later variations.
“An improper neutralization of particular parts utilized in an SQL command (‘SQL Injection’) vulnerability [CWE-89] in FortiWeb might enable an unauthenticated attacker to execute unauthorized SQL code or instructions through crafted HTTP or HTTPs requests,” reads Fortinet’s advisory.
The flaw was found by Kentaro Kawane from GMO Cybersecurity, who additionally disclosed a static hardcoded password vulnerability in Cisco ISE final month.
FortiWeb pre-auth SQLi to pre-auth RCE
Immediately, cybersecurity agency WatchTowr and a safety researcher referred to as “defective *ptrrr” launched technical write-ups and proof-of-concept exploits that open reverse shells or an online shell.
The flaw is present in FortiWeb’s Cloth Connector, which is software program that synchronizes authentication and coverage information between Fortinet merchandise.
The software program accommodates an unauthenticated SQL injection flaw within the get_fabric_user_by_token() operate, which makes use of the next code to difficulty a MySQL question:
snprintf(s, 0x400u, "choose id from fabric_user.user_table the place token='%s'", a1);This code didn’t correctly sanitize the bearer token despatched in HTTP request headers, permitting attackers to inject customized SQL into the header to realize SQLi.
Attackers can set off the flaw via HTTP requests to the /api/cloth/gadget/standing endpoint by injecting SQL into the Authorization header (e.g., Bearer AAAAAA'or'1'='1), permitting attackers to bypass authentication checks.
The researchers had been in a position to escalate the SQL injection to distant code execution by executing MySQL’s SELECT … INTO OUTFILE question through the SQLi flaw to create arbitrary information on the gadget. This allowed them to put in writing a Python .pth file into the positioning‑packages listing.
As .pth information are robotically loaded and run when Python is executed, the researchers discovered a reputable FortiWeb CGI Python script (/cgi-bin/ml‑draw.py) that could possibly be used to launch the malicious code within the .pth file and obtain distant code execution.
As exploits are actually public and extensively obtainable, it’s strongly suggested that admins prioritize putting in the patches to stop servers from being compromised.
Right now, there isn’t a indication that the vulnerability is being actively exploited, however this can probably change within the close to future.
Whereas cloud assaults could also be rising extra refined, attackers nonetheless succeed with surprisingly easy methods.
Drawing from Wiz’s detections throughout 1000’s of organizations, this report reveals 8 key methods utilized by cloud-fluent menace actors.
