CVE-2025-25257
Published: 17 July 2025
Summary
CVE-2025-25257 is a critical-severity SQL Injection (CWE-89) vulnerability in Fortinet Fortiweb. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Data from Local System (T1005); ranked in the top 3.6% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-10 (Information Input Validation).
Deeper analysis
CVE-2025-25257 is an SQL injection vulnerability (CWE-89) present in Fortinet FortiWeb versions 7.6.0 through 7.6.3, 7.4.0 through 7.4.7, 7.2.0 through 7.2.10, and 7.0.0 through 7.0.10. The flaw stems from improper neutralization of special elements in SQL commands and can be triggered through crafted HTTP or HTTPS requests, carrying a CVSS 3.1 score of 9.8.
An unauthenticated remote attacker can exploit the issue over the network without user interaction to execute arbitrary SQL commands, potentially leading to full compromise of confidentiality, integrity, and availability on the affected FortiWeb appliance.
The Fortinet advisory FG-IR-25-151 along with listings in the CISA Known Exploited Vulnerabilities catalog provide official guidance on remediation, while public proof-of-concept code is available on Exploit-DB, GitHub, and Packet Storm.
The EPSS score rose materially from a low baseline to a peak of 0.6755 on 2025-12-11 before receding to the current value of 0.2620, indicating post-disclosure exploitation interest; the vulnerability's presence in the CISA catalog further confirms observed real-world use.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-21785
Vulnerability details
An improper neutralization of special elements used in an SQL command ('SQL Injection') vulnerability [CWE-89] vulnerability in Fortinet FortiWeb 7.6.0 through 7.6.3, FortiWeb 7.4.0 through 7.4.7, FortiWeb 7.2.0 through 7.2.10, FortiWeb 7.0.0 through 7.0.10 allows an unauthenticated attacker to execute…
more
unauthorized SQL code or commands via crafted HTTP or HTTPs requests.
- CWE(s)
- KEV Date Added
- 18 July 2025
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
SQL injection enables unauthenticated arbitrary SQL execution (T1190), allowing database data collection (T1213.006) and local file read/write operations as demonstrated in the PoC (T1005).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly remediates the SQL injection vulnerability by applying Fortinet patches for affected FortiWeb versions.
Requires validation of HTTP/HTTPS inputs to neutralize special elements and prevent SQL command injection.
Scans for and identifies the SQL injection vulnerability in FortiWeb instances, enabling proactive patching.