CVE-2025-25257

CriticalCISA KEVActive ExploitationPublic PoC

Published: 17 July 2025

Published

17 July 2025

Modified

20 February 2026

KEV Added

18 July 2025

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.2211 95.8th percentile

Risk Priority 53 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-25257 is a critical-severity SQL Injection (CWE-89) vulnerability in Fortinet Fortiweb. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Data from Local System (T1005); ranked in the top 4.2% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-10 (Information Input Validation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Data from Local System (T1005) and 2 other techniques. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly remediates the SQL injection vulnerability by applying Fortinet patches for affected FortiWeb versions.

SI-10 Information Input Validation good match

prevent

Requires validation of HTTP/HTTPS inputs to neutralize special elements and prevent SQL command injection.

RA-5 Vulnerability Monitoring and Scanning good match

detect

Scans for and identifies the SQL injection vulnerability in FortiWeb instances, enabling proactive patching.

MITRE ATT&CK Enterprise TechniquesAI

T1005 Data from Local System Collection

Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.

attack.mitre.org →

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1213.006 Databases Collection

Adversaries may leverage databases to mine valuable information.

attack.mitre.org →

Why these techniques?

SQL injection enables unauthenticated arbitrary SQL execution (T1190), allowing database data collection (T1213.006) and local file read/write operations as demonstrated in the PoC (T1005).

NVD Description

An improper neutralization of special elements used in an SQL command ('SQL Injection') vulnerability [CWE-89] vulnerability in Fortinet FortiWeb 7.6.0 through 7.6.3, FortiWeb 7.4.0 through 7.4.7, FortiWeb 7.2.0 through 7.2.10, FortiWeb 7.0.0 through 7.0.10 allows an unauthenticated attacker to execute…

unauthorized SQL code or commands via crafted HTTP or HTTPs requests.

Deeper analysisAI

CVE-2025-25257 is an SQL injection vulnerability (CWE-89) in Fortinet FortiWeb, affecting versions 7.6.0 through 7.6.3, 7.4.0 through 7.4.7, 7.2.0 through 7.2.10, and 7.0.0 through 7.0.10. The flaw arises from improper neutralization of special elements used in SQL commands, enabling an unauthenticated attacker to execute unauthorized SQL code or commands through crafted HTTP or HTTPS requests. Published on 2025-07-17, it carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

Unauthenticated remote attackers can exploit this vulnerability over the network with low attack complexity, requiring no privileges or user interaction. Exploitation involves sending specially crafted requests to a vulnerable FortiWeb instance, allowing arbitrary SQL command execution. This can result in high impacts to confidentiality, integrity, and availability, such as data exfiltration, modification, or denial of service.

Fortinet's PSIRT advisory (FG-IR-25-151) details mitigation steps, including available patches for affected versions. Security practitioners should consult this advisory for upgrade guidance and workarounds.

Public proof-of-concept exploits are available on Exploit-DB (ID 52473), Packet Storm, and GitHub (0xbigshaq/CVE-2025-25257). The vulnerability is listed in CISA's Known Exploited Vulnerabilities catalog, indicating real-world exploitation.

Details

CWE(s): CWE-89
KEV Date Added: 18 July 2025

Affected Products

fortinet

fortiweb

7.0.0 — 7.0.11 · 7.2.0 — 7.2.11 · 7.4.0 — 7.4.8

CVEs Like This One

CVE-2025-58034Same product: Fortinet Fortiwebboth on KEV

CVE-2025-64446Same product: Fortinet Fortiwebboth on KEV

CVE-2022-29059Same product: Fortinet Fortiweb

CVE-2025-52970Same product: Fortinet Fortiweb

CVE-2025-64447Same product: Fortinet Fortiweb

CVE-2026-21643Same vendor: Fortinetboth on KEV

CVE-2025-59719Same product: Fortinet Fortiweb

CVE-2024-55594Same product: Fortinet Fortiweb

CVE-2024-55597Same product: Fortinet Fortiweb

CVE-2026-40688Same product: Fortinet Fortiweb

References

https://fortiguard.fortinet.com/psirt/FG-IR-25-151
Vendor Advisory · psirt@fortinet.com
https://packetstorm.news/files/id/210193/
Exploit, Third Party Advisory, VDB Entry · af854a3a-2127-422b-91ae-364da2661108
https://www.exploit-db.com/exploits/52473
Exploit, Third Party Advisory, VDB Entry · af854a3a-2127-422b-91ae-364da2661108
https://github.com/0xbigshaq/CVE-2025-25257
Third Party Advisory · 134c704f-9b21-4f2e-91b3-4a467353bcc0
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-25257
US Government Resource · 134c704f-9b21-4f2e-91b3-4a467353bcc0