Fortinet has released fixes for critical security flaws affecting FortiWeb. This allows an unauthorized attacker to execute arbitrary database commands on the sensitive instance.
Tracked as CVE-2025-25257, the vulnerability has a CVSS score of 9.6 out of 10.0.
Inappropriate neutralization of special elements used in SQL command (“SQL Injection”) vulnerabilities [CWE-89] FortiWeb could allow unauthorized attackers to execute malformed SQL code or commands via HTTP or HTTPS requests created,” Fortinet said in an advisory released this week.
The drawbacks affect the next version –
Fortiweb 7.6.0 to 7.6.3 (7.6.4 or later) FortiWeb 7.4.0 (upgraded to 7.4.8 or later) From 7.2.0 to 7.2.10 (upgraded to 7.2.11 or higher) FortiWeb 7.0.0 to 7.0.10 (upgraded to 7.0.11 or above)
Kentaro Kawane of GMO Cybersecurity was recently admitted to report a set of significant defects in Cisco ID Services and ISE Passive Identity Connectors (CVE-2025-20286, CVE-2025-20281, and CVE-2025-20282).
In an analysis published today, Watchtowr Labs said the issue is rooted in a function called “get_fabric_user_by_token” that is associated with the fabric connector component that acts as a bridge between Fortiweb and other Fortinet products.
This function is called from another function named “Fabric_access_Check”. This is called from three different API endpoints:[0-9]/fabric/widget/[a-z]+, “and”/api/v[0-9]/Fabric/Widget. ”
The problem is that attacker control input passed through the Bearer Token Authorization header in a specially created HTTP request is passed directly to the SQL database query without proper sanitization and ensures that it does not contain malicious, not harmful code.
Attacks can be further expanded by embedding them in a select … outfile statement. By taking advantage of the fact that the query is executed as the “mysql” user, the results of command execution can be written to the underlying operating system file.
“The newer version of this function replaces the previous format string query with a prepared statement. This is a reasonable attempt to prevent STAL injection,” said security researcher Sina Kheirkhah.
As a temporary workaround until you have applied the required patches, users are advised to disable the HTTP/HTTPS management interface.
Because flaws in Fortinet devices have been exploited by threat actors in the past, it is essential that users move quickly to update to the latest version to mitigate potential risk.
Source link
