Fortinet FortiWeb SQL注入漏洞

漏洞信息

漏洞名称： Fortinet FortiWeb SQL注入漏洞

漏洞编号：

• CVE： CVE-2025-25257

漏洞类型： SQL注入

漏洞等级： 严重

漏洞描述： Fortinet FortiWeb是一款广泛使用的Web应用防火墙（WAF），旨在保护Web应用免受各种攻击，如SQL注入、跨站脚本（XSS）等。它通常部署在企业环境中，用于保护关键Web应用和服务。由于其广泛的应用，FortiWeb成为攻击者的重要目标。

CVE-2025-25257是一个严重的预认证SQL注入漏洞，影响FortiWeb的Fabric Connector组件。该漏洞的技术根源在于get_fabric_user_by_token()函数在构造SQL查询时，未对用户输入（Authorization: Bearer HTTP头）进行适当的清理，导致SQL注入（CWE-89）。攻击者可以利用此漏洞绕过认证，注入任意SQL命令。通过利用MySQL的SELECT … INTO OUTFILE功能，攻击者还可以在服务器的文件系统中写入恶意的.pth文件或webshell，从而实现远程代码执行（RCE）。

该漏洞的影响极为严重，CVSS评分为9.6–9.8（严重）。攻击者无需认证即可在受影响的设备上执行操作系统级别的命令，可能导致系统完全被攻陷。目前已有公开的概念验证（PoC）漏洞利用代码，并且据报道正在被利用。为了防范此漏洞，建议立即升级FortiWeb到7.6.4+、7.4.8+、7.2.11+或7.0.11+版本。在应用补丁之前，可以临时禁用或限制对HTTP/HTTPS管理接口的访问。此外，应监控和检测可疑的Authorization头，添加IDS/IPS签名以检测Fabric Connector API调用中的注入模式，并检查文件系统中是否有未经授权的部署。

产品厂商： Fortinet

产品名称： FortiWeb

影响版本： 7.6.0–7.6.3, 7.4.0–7.4.7, 7.2.0–7.2.10, ≤7.0.10

来源： https://github.com/mrmtwoj/CVE-2025-25257

类型： CVE-2025:github search

仓库文件

• CVE-2025-25257.py
• README.md

来源概述

CVE-2025-25257

CVE‑2025‑25257 is a critical pre-authentication SQL injection vulnerability affecting Fortinet FortiWeb’s Fabric Connector component. It impacts FortiWeb versions:

• 7.6.0–7.6.3
• 7.4.0–7.4.7
• 7.2.0–7.2.10
• ≤ 7.0.10

Technical Details

The issue resides in the get_fabric_user_by_token() function, which constructs SQL queries using unsanitized user input (the Authorization: Bearer HTTP header). This leads to an SQL injection (CWE‑89) vulnerability

• Attackers can bypass authentication and inject arbitrary SQL commands.
• By exploiting MySQL’s SELECT … INTO OUTFILE, attackers can write malicious .pth files or webshells within the server’s file system (e.g. in Python site‑packages or CGI directories), resulting in remote code execution (RCE)

Impact

• CVSS score: 9.6–9.8 (Critical)
• The attacker gains unauthenticated access to execute OS-level commands on the affected appliance, potentially leading to full system compromise
• Public Proof-of-Concept (PoC) exploits are available and reportedly being used

Recommended Mitigations

• Patch Immediately
  Upgrade FortiWeb to: 7.6.4+, 7.4.8+, 7.2.11+, or 7.0.11+
• Temporary Mitigation
  Disable or restrict access to the HTTP/HTTPS administrative interface until the patch is applied
• Monitor and Detect

• Inspect logs for suspicious Authorization headers containing SQL syntax.
• Add IDS/IPS signatures to detect injection patterns in Fabric Connector API calls (especially /api/fabric/device/status).
• Check the file system (e.g., .pth files in site-packages or unusual CGI scripts like ml-draw.py) for unauthorized deployments

Summary

CVE‑2025‑25257 is a severe pre-auth SQL injection → RCE chain enabling attackers to implant arbitrary payloads in FortiWeb systems. It’s easy to exploit, widely weaponized, and has a fix available. Applying the vendor patch and enhancing monitoring controls are essential to prevent system compromise.