🔴 CVE-2025-25257

Critical SQL injection vulnerability in Fortinet FortiWeb WAF allowing unauthenticated attackers to execute arbitrary SQL and code via crafted HTTP/HTTPS requests. CISA has confirmed active exploitation in the wild with public PoC available.

← Back to Overview
HIGH_RISK
Risk Level
9.6
CVSS Score
NETWORK
Attack Vector
Initial Access
ATT&CK Tactic
T1190 — Exploit Public-Facing Application
ATT&CK Technique
VERY_HIGH
Deployment Risk
No
Ransomware

📋 Vulnerability Details

Data Source: CIRCL

Confidence: HIGH

Exploitation Method: DIRECT_NETWORK

CVE Published: 2025-07-17

Added to CISA KEV: 2025-07-18 1 DAY BETWEEN CVE AND KEV

🎯 Recommendations:

🔍 Web Intelligence (Kagi · 2025-09-06)

CVE-2025-25257 is a critical SQL injection vulnerability affecting Fortinet FortiWeb, a web application firewall (WAF) [1][2]. Here's what is known about its exploitation:

  • Affected Applications/Services: The vulnerability affects internet-facing applications and services that utilize Fortinet's FortiWeb WAF [2][3].
  • Active Exploitation: There is confirmed evidence of active exploitation in the wild [4][5]. The Shadowserver Foundation reported observed exploitation activity since July 11, 2025 [5]. CrowdSec observed approximately 40 distinct IPs producing around 500 attack events related to this vulnerability, with most attacks occurring on July 11th, 2025 [6].
  • Attack Vectors/Exploitation Methods: The vulnerability allows an unauthenticated attacker to execute unauthorized SQL code via crafted HTTP or HTTPS requests [7][8]. Successful exploitation can lead to remote code execution (RCE) [2][7]. The flaw allows both SQL code and Python code to be executed on a victim's system due to improper neutralization of HTTP headers [9].
  • Targeted Attacks: While active exploitation is confirmed, specific details on "targeted attacks" are not explicitly mentioned beyond general malicious activity [10].
  • CISA KEV Status: CISA has added CVE-2025-25257 to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation [4][11]. This means that CISA considers this vulnerability to be actively exploited and posing a significant risk [4].
  • Technical Details/Internet Exploitability: CVE-2025-25257 is a pre-authentication SQL injection vulnerability in Fortinet FortiWeb [12]. It enables unauthenticated attackers to achieve remote code execution via crafted HTTP requests [12]. The vulnerability exists because of improper neutralization of special elements used in an SQL command [13][8]. Proof-of-concept (PoC) code is publicly available, increasing the risk of exploitation [12][14].

Sources

  1. CVE-2025–25257: FortiWeb SQL Injection to RCE Exposed | Medium

    On July 8, 2025, Fortinet disclosed CVE-2025–25257, a severe SQL injection vulnerability in their FortiWeb web application firewall. This unauthenticated flaw allows attackers to execute arbitrary code with root privileges, posing a massive risk to organizations.

  2. CVE-2025–25257 - FortiWeb Vulnerability Checker & Exploit | Medium

    A critical vulnerability was recently identified in Fortinet’s FortiWeb product: CVE-2025–25257, affecting web application firewalls (WAFs) globally. This vulnerability allows unauthenticated remote code execution (RCE), posing significant risk to exposed assets.

  3. CVE-2025-25257 | Arctic Wolf

    Fortinet released fixes for a critical vulnerability in FortiWeb that could allow an unauthenticated threat actor to execute SQL commands via crafted HTTP ...

  4. CISA Adds One Known Exploited Vulnerability to Catalog

    These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise.

  5. CISA Warns of Fortinet FortiWeb SQL Injection Vulnerability Exploited ...

    The vulnerability, tracked as CVE-2025-25257, affects Fortinet’s FortiWeb web application firewall and carries a severe CVSS score of 9.6 out of 10.CVE-2025-25257 exploitation activity observed since Jul 11th,” The Shadowserver Foundation reported.

Generated by PatchNow Intelligence System

Analysis based on CIRCL.LU data, Claude AI assessment, and MITRE ATT&CK framework

📄 Download JSON Data | 📡 RSS Feed