Contact
Red Hot Cyber
Cybersecurity is about sharing. Recognize the risk, combat it, share your experiences, and encourage others to do better than you.
Cybersecurity is about sharing. Recognize the risk,
combat it, share your experiences, and encourage others
to do better than you.
320x100 Itcentric
TM RedHotCyber 970x120 042543
Critical Vulnerability in FortiWeb: Score 9.6 and Unauthorized SQL Commands

Critical Vulnerability in FortiWeb: Score 9.6 and Unauthorized SQL Commands

13 July 2025 11:54

A new vulnerability, tracked under CVE-2025-25257, was recently published affecting several versions of Fortinet FortiWeb. This vulnerability could allow unauthenticated attackers to execute unauthorized SQL commands via forged HTTP/S requests. This vulnerability significantly impacts confidentiality, integrity, and availability and has a CVSSv3 score of 9.6.

The risk is significant, as FortiWeb instances are typically public-facing systems, making these infrastructures easy targets for threat actors during intrusions. As of 07/11/2025 there is no evidence that this vulnerability has been actively exploited.

  • Last update: 11-07-2025
  • Type: SQL injection
  • Affected software:
    → FortiWeb 7.6: versions 7.6.0 to 7.6.3
    → FortiWeb 7.4: versions 7.4.0 to 7.4.7
    → FortiWeb 7.2: versions from 7.2.0 to 7.2.10
    → FortiWeb 7.0: versions from 7.0.0 to 7.0.10
  • CVE/CVSSCVE-2025-25257: CVSS 9.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

Details of bug

In affected versions, the FortiWeb administration GUI has incorrect input neutralization, resulting in unauthenticated SQL injection. This critical flaw allows attackers to:

  1. Execute unauthorized SQL commands without authentication
  2. Bypass access controls and extract sensitive configuration or user data
  3. Modify or delete backend database entries
  4. Potentially lead to complete system compromise

Recommended Actions

It is strongly recommended that you install vendor-provided updates for vulnerable devices as a top priority, after thorough testing.

Enhance monitoring and detection capabilities to identify any related suspicious activity and ensure a rapid response in the event of an intrusion.

Follow us on Google News to receive daily updates on cybersecurity. Contact us if you would like to report news, insights or content for publication.

Immagine del sito
Redazione

The editorial team of Red Hot Cyber consists of a group of individuals and anonymous sources who actively collaborate to provide early information and news on cybersecurity and computing in general.