# Fortinet FortiWeb continues to face a remote attack vulnerability without authentication - CVE‑2025‑25257

## **Overview**

Recently, a highly critical vulnerability was reported by Fortinet with the identifier: **CVE‑2025‑25257**. A public proof of concept (PoC) has been released online, posing significant risks to Fortinet products. This vulnerability allows hackers to execute remote code without authentication (pre-auth RCE).

Once they have the ability to write to the system file, hackers can:

* Deploy a permanent backdoor
    
* Alter WAF configurations
    
* Disrupt or redirect the traffic of the protected application
    

![CVE-2025-25257 PoC FortiWeb, SQL Injection](https://securityonline.info/wp-content/uploads/2025/07/shell-1024x724.png align="center")

## **Vulnerability Description**

* Vulnerability ID: **CVE‑2025‑25257**
    
* CVSS Score: **9.6/10, indicating an extremely critical level**
    
* Affected Versions: **This vulnerability affects most 7.x.x versions**
    
    * **FortiWeb 7.0.0 to 7.0.10**
        
    * **FortiWeb 7.2.0 to 7.2.10**
        
    * **FortiWeb 7.4.0 to 7.4.7**
        
    * **FortiWeb 7.6.0 to 7.6.3**
        
* Attack Mechanism: An attacker can perform **Remote Code Execution** without **authentication** (pre-auth) through the API `/api/fabric/device/status`, which is extremely dangerous if the device is publicly accessible on the Internet.
    
* Consequences: **Successful exploitation of the vulnerability can allow an attacker to fully control the WAF.**
    

## **Vulnerability Details**

As mentioned above, this vulnerability involves an unauthenticated SQL Injection (CWE‑89) on the Fabric Connector endpoint. Therefore, the attacker will first initialize the `SQLInjection` class and proceed to send SQL payloads in the **Bearer header**.

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1752599056985/31a5080b-ac8e-44b8-a7f5-a1c8fcd2040b.png align="center")

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1752599423608/44085aec-7dc9-447e-99b1-016dcfeb8c0c.png align="center")

In cases where the payloads return 200 or the server returns HTTP 401 (authentication error but no SQL syntax error), it means further exploitation steps can continue for escalation.

After confirming that SQL Injection payloads can be executed, the attacker proceeds to exploit RCE—this is a part of `RCE` inherited from `SQLInjection`. Here, the attacker will create the table `fabric_user.a` to store **webshell** data and write each shell component into the table..

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1752674505369/b9f0f407-172d-43a4-8448-c9d2f832893f.png align="center")

Then the attacker will write everything and output it as an executable shell file `x.cgi`.

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1752676091924/c3d1b665-0340-4e7d-a3ce-b1c0044d4ed5.png align="center")

Then a Python script will be run by FortiWeb when the CGI is triggered. This is a **"gadget to perform chmod +x and erase traces"** during execution to make it harder for investigators to detect. The script will be placed in the FortiWeb directory, which will automatically execute it.

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1752679956857/3094e3d4-fd19-4d79-9138-38fe4417069b.png align="center")

Finally, the attacker will send commands to the shell via HTTP through the `User-Agent` header. Since MySQL runs with root privileges, the exploit can write files anywhere. Naturally, if the web shell or script runs as root, the attacker will gain full control of the system.

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1752680050395/96e3ffa6-fc28-4b8f-ad12-3cd47e7c2ef9.png align="center")

## **Conclusion**

**CVE‑2025‑25257** is a very serious vulnerability where an attacker can perform **remote code execution before authentication**, allowing full control of the WAF system. More dangerously, a POC is already available online, which means the risk of individuals or organizations being actively exploited is high.

Admins **must prioritize patching the system immediately** and implement mitigation measures if patching is not possible right away. Protecting the WAF not only safeguards the application but also your entire network infrastructure.

## **Recommendations**

1. Software Update (Patching) – MANDATORY
    

* **Update FortiWeb immediately** to one of the patched versions:
    
    * `7.0.11`
        
    * `7.2.11`
        
    * `7.4.8`
        
    * `7.6.4`
        
* Software update link: [Updating the firmware | FortiWeb 7.6.4 | Fortinet Document Library](https://docs.fortinet.com/document/fortiweb/7.6.4/administration-guide/172532/updating-the-firmware?utm_source=chatgpt.com)
    

2. **Temporary measures if patching is not possible immediately**
    

* **Disable the HTTP/HTTPS management interface** to block "pre-auth" access to the endpoint `/api/fabric/device/status`.
    
* Use a firewall to **block public IPs** from accessing the Fabric API.
    

## **References**

1. [Fortinet Releases Patch for Critical SQL Injection](https://docs.fortinet.com/document/fortiweb/7.6.4/administration-guide/172532/updating-the-firmware?utm_source=chatgpt.com) [Flaw in FortiWeb (CVE-2025-25257)](https://thehackernews.com/2025/07/fortinet-releases-patch-for-critical.html)
    
2. [FortiWeb Pre-Auth RCE (CVE-2025-25257)](https://pwner.gg/blog/2025-07-10-fortiweb-fabric-rce)
    
3. [Fortinet Releases Patch for Critical SQL Injection Flaw in FortiWeb (CVE-2025-25257)](https://thehackernews.com/2025/07/fortinet-releases-patch-for-critical.html)
