Cyber Resilience

CVE-2025-25257

CriticalCISA KEVActive ExploitationEUVD ExploitedPublic PoC

Published: 17 July 2025

Published
17 July 2025
Modified
20 February 2026
KEV Added
18 July 2025
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.2620 96.4th percentile
Risk Priority 55 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-25257 is a critical-severity SQL Injection (CWE-89) vulnerability in Fortinet Fortiweb. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Data from Local System (T1005); ranked in the top 3.6% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2025-25257 is an SQL injection vulnerability (CWE-89) present in Fortinet FortiWeb versions 7.6.0 through 7.6.3, 7.4.0 through 7.4.7, 7.2.0 through 7.2.10, and 7.0.0 through 7.0.10. The flaw stems from improper neutralization of special elements in SQL commands and can be triggered through crafted HTTP or HTTPS requests, carrying a CVSS 3.1 score of 9.8.

An unauthenticated remote attacker can exploit the issue over the network without user interaction to execute arbitrary SQL commands, potentially leading to full compromise of confidentiality, integrity, and availability on the affected FortiWeb appliance.

The Fortinet advisory FG-IR-25-151 along with listings in the CISA Known Exploited Vulnerabilities catalog provide official guidance on remediation, while public proof-of-concept code is available on Exploit-DB, GitHub, and Packet Storm.

The EPSS score rose materially from a low baseline to a peak of 0.6755 on 2025-12-11 before receding to the current value of 0.2620, indicating post-disclosure exploitation interest; the vulnerability's presence in the CISA catalog further confirms observed real-world use.

EU & UK References

Vulnerability details

An improper neutralization of special elements used in an SQL command ('SQL Injection') vulnerability [CWE-89] vulnerability in Fortinet FortiWeb 7.6.0 through 7.6.3, FortiWeb 7.4.0 through 7.4.7, FortiWeb 7.2.0 through 7.2.10, FortiWeb 7.0.0 through 7.0.10 allows an unauthenticated attacker to execute…

more

unauthorized SQL code or commands via crafted HTTP or HTTPs requests.

CWE(s)
KEV Date Added
18 July 2025

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1005 Data from Local System Collection
Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.
T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1213.006 Databases Collection
Adversaries may leverage databases to mine valuable information.
Why these techniques?

SQL injection enables unauthenticated arbitrary SQL execution (T1190), allowing database data collection (T1213.006) and local file read/write operations as demonstrated in the PoC (T1005).

CVEs Like This One

CVE-2025-58034Same product: Fortinet Fortiwebboth on KEV
CVE-2025-64446Same product: Fortinet Fortiwebboth on KEV
CVE-2022-29059Same product: Fortinet Fortiweb
CVE-2025-52970Same product: Fortinet Fortiweb
CVE-2025-64447Same product: Fortinet Fortiweb
CVE-2026-21643Same vendor: Fortinetboth on KEV
CVE-2024-55594Same product: Fortinet Fortiweb
CVE-2025-59719Same product: Fortinet Fortiweb
CVE-2024-50569Same product: Fortinet Fortiweb
CVE-2026-40688Same product: Fortinet Fortiweb

Affected Assets

fortinet
fortiweb
7.0.0 — 7.0.11 · 7.2.0 — 7.2.11 · 7.4.0 — 7.4.8

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly remediates the SQL injection vulnerability by applying Fortinet patches for affected FortiWeb versions.

prevent

Requires validation of HTTP/HTTPS inputs to neutralize special elements and prevent SQL command injection.

detect

Scans for and identifies the SQL injection vulnerability in FortiWeb instances, enabling proactive patching.

References