Exploit available: Patch FortiWeb vulnerability now!

On Thursday last week, Fortinet released security updates – the most serious vulnerability affects FortiWeb. Attackers can exploit an SQL injection vulnerability in non-updated systems. IT researchers have published proof-of-concept exploit code. Malicious actors can use it to attack vulnerable systems – IT managers should therefore install the updates quickly.

The vulnerability in FortiWeb allows unregistered users from the network to inject SQL commands with manipulated HTTP or HTTPS requests. These are not sufficiently filtered by the web application firewall (WAF) and thus enable abuse, which allows attackers to execute arbitrary code (CVE-2025-25257, CVSS 9.6, risk "critical"). FortiWeb versions 7.6.4, 7.4.8, 7.2.11 and 7.0.11 and newer patch the vulnerability and are available for download.

Detailed analysis and proof-of-concept (PoC)

The IT security researchers at Watchtowr have investigated the vulnerability in more detail. They sarcastically introduce their analysis with the words: "To be fair, the secure-by-design assurance did not require signatories to avoid SQL injections, so we have nothing to say." However, the secure-by-design campaign of the US authorities CISA and FBI has even dedicated a separate document to SQL injections with recommendations and guidance. Accordingly, the Watchtowr analysis is long and sprawling, and the forensic experts have a lot to say.

For example, the Watchtowr analysts describe how they approached the infiltration of SQL commands with a simple command to sleep for five seconds and read off the success based on the response time. Despite prepared SQL queries (prepared statements, one of the recommended measures to avoid SQL injection gaps) on the FortiWeb appliance, they succeed in injecting their own commands.

However, the IT forensic experts at Watchtowr did not stop there. "SQL injection before authentication to the system is fun," they write, but "the roller coaster of joy begins – can we extend MySQL injection into code execution from the network?" And of course they find a way: the INTO OUTFILE statement writes content with the privileges of the user of the MySQL process. This should normally be a specially created "mysql" user, but the forensic experts are teasing that such details are not part of any assurance such as "Secure by Design" and that Fortinet therefore cannot know this – MySQL runs as root on the FortiWeb appliances (readers may imagine a well-placed "Head->Desk" meme at this point).

There was another hurdle to overcome: INTO OUTFILE can only be used to create new files and not to overwrite existing ones or append data. But of course the IT security researchers also find ways to do this, in the end they have an exploit that executes arbitrary code through the vulnerability – in the specific example, the Python script only tries to find out whether an instance is vulnerable.

Another proof-of-concept epxloit comes from the IT security researcher with the handle "faulty *ptrrr". He also came up with the idea of working on the exploit using INTO OUTFILE; however, his way of launching his own Python code differs slightly from the Watchtowr variant.

Malicious actors can quickly add this code to their exploit toolboxes. FortiWeb admins should therefore quickly install the available updates now.

(dmk)