Proof-of-concept exploits have been launched for a essential SQLi vulnerability in Fortinet FortiWeb that can be utilized to obtain pre-authenticated distant code execution on weak servers.
FortiWeb is an internet utility firewall (WAF), which is used to guard net purposes from malicious HTTP site visitors and threats.
The FortiWeb vulnerability has a 9.8/10 severity rating and is tracked as CVE-2025-25257. Fortinet fastened it final week in FortiWeb 7.6.4, 7.4.8, 7.2.11, and seven.0.11 and later variations.
“An improper neutralization of particular parts utilized in an SQL command (‘SQL Injection’) vulnerability (CWE-89) in FortiWeb might enable an unauthenticated attacker to execute unauthorized SQL code or instructions through crafted HTTP or HTTPs requests,” reads Fortinet’s advisory.
The flaw was found by Kentaro Kawane from GMO Cybersecurity, who additionally disclosed a static hardcoded password vulnerability in Cisco ISE final month.
Fortiweb Pre-Auth SQLI to Pre-Auth RCE
At present, cybersecurity agency WatchTowr and a safety researcher generally known as “defective *ptrrr” launched technical write-ups and proof-of-concept exploits that open reverse shells or an internet shell.
The flaw is present in FortiWeb’s Material Connector, which is software program that synchronizes authentication and coverage knowledge between Fortinet merchandise.
The software program incorporates an unauthenticated SQL injection flaw within the get_fabric_user_by_token() operate, which makes use of the next code to difficulty a MySQL question:
snprintf(s, 0x400u, “choose id from fabric_user.user_table the place token=’%s'”, a1);
This code didn’t correctly sanitize the bearer token despatched in HTTP request headers, permitting attackers to inject customized SQL into the header to attain SQLi.
Attackers can set off the flaw by HTTP requests to the /api/cloth/machine/standing endpoint by injecting SQL into the Authorization header (e.g., Bearer AAAAAA’or’1’=’1), permitting attackers to bypass authentication checks.
The researchers have been capable of escalate the SQL injection to distant code execution by executing MySQL’s SELECT … INTO OUTFILE question through the SQLi flaw to create arbitrary recordsdata on the machine. This allowed them to jot down a Python .pth file into the location‑packages listing.
As .pth recordsdata are mechanically loaded and run when Python is executed, the researchers discovered a reliable FortiWeb CGI Python script (/cgi-bin/ml‑draw.py) that might be used to launch the malicious code within the .pth file and obtain distant code execution.
As exploits are actually public and extensively accessible, it’s strongly suggested that admins prioritize putting in the patches to stop servers from being compromised.
Presently, there isn’t any indication that the vulnerability is being actively exploited, however it will possible change within the close to future.
Whereas cloud assaults could also be rising extra subtle, attackers nonetheless succeed with surprisingly easy methods.
Drawing from Wiz’s detections throughout hundreds of organizations, this report reveals 8 key methods utilized by cloud-fluent menace actors.
