FortiWeb SQL Injection to Remote Code Execution Vulnerability
漏洞信息
漏洞名称: FortiWeb SQL Injection to Remote Code Execution Vulnerability
漏洞编号:
- CVE: CVE-2025-25257
漏洞类型: SQL注入
漏洞等级: 严重
漏洞描述: FortiWeb是Fortinet公司提供的一款企业级Web应用防火墙(WAF),旨在保护Web应用免受各种网络攻击,如SQL注入、跨站脚本(XSS)等。它广泛应用于企业环境中,用于保护关键的Web应用和服务。此次发现的CVE-2025-25257漏洞影响暴露了/api/fabric/device/status端点的FortiWeb系统。该漏洞的根源在于系统未能正确清理Authorization头的输入,导致攻击者可以通过构造恶意的Bearer令牌进行未授权的SQL注入攻击。通过利用SQL注入漏洞,攻击者可以进一步利用SQL的INTO OUTFILE功能在服务器上写入一个webshell,并通过Python的chmod小工具触发,最终实现远程命令执行(RCE)。这一漏洞的利用过程完全自动化,攻击者无需任何登录凭证即可发起攻击。由于漏洞的严重性,攻击者可以完全控制受影响的系统,执行任意命令,导致数据泄露、服务中断等严重后果。Fortinet建议用户及时更新FortiWeb固件(如果有补丁可用),并对所有头部输入进行严格的清理,同时限制文件写入路径和CGI执行,以减轻潜在的风险。
产品厂商: Fortinet
产品名称: FortiWeb
来源: https://github.com/0xgh057r3c0n/CVE-2025-25257
类型: CVE-2025:github search
仓库文件
- .gitignore
- CVE-2025-25257.py
- LICENSE
- README.md
- sample.png
来源概述
🚨 CVE-2025-25257 – FortiWeb SQLi to RCE
Critical SQL Injection → Webshell Execution
Discovered and weaponized by 0xgh057r3c0n
🧠 Vulnerability Overview
CVE-2025-25257 affects FortiWeb systems exposing the endpoint /api/fabric/device/status, which fails to properly sanitize Authorization header input.
An attacker can perform unauthenticated SQL injection to write a webshell on the server and execute commands remotely.
💥 Attack Flow
1 | |
GET /api/fabric/device/status
Header: Authorization: Bearer ‘;
1 | |
Then:
1 | |
🔧 Requirements
- Python 3.6+
requestsmodule
Install:
1 | |
📤 Sample Output
1 | |
📊 CVSS Estimate
| Metric | Value |
|---|---|
| Base Score | 9.8 (CRITICAL) |
| Attack Vector | Network |
| Privileges Required | None |
| User Interaction | None |
| Impact | High (C/I/A) |
🛡️ Mitigation
- Update FortiWeb firmware (if patch available)
- Sanitize all header inputs
- Restrict file write paths and CGI execution
👨💻 Author
0xgh057r3c0n
🔗 github.com/0xgh057r3c0n
⚠️ Disclaimer
This proof-of-concept is for educational and authorized testing only.
Use at your own risk. The author is not responsible for misuse.