In a significant security development, cybersecurity experts from WatchTowr Labs have identified a critical vulnerability, designated CVE-2025-25257, in Fortinet’s FortiWeb Fabric Connector. This weakness allows unauthenticated remote code execution via a SQL injection flaw in the system’s administrative interface, posing a serious risk to organizations utilizing FortiWeb’s web application firewall.
The vulnerability was first reported by Kentaro Kawane from GMO Cybersecurity, with subsequent findings being demonstrated by WatchTowr Labs. The experts highlighted that the flaw enables attackers to exploit the system by sending specially crafted requests that manipulate the FortiWeb system into executing malicious commands. Immediate action is advisable to mitigate risks associated with this vulnerability.
Initially challenging to exploit due to command limitations, researchers successfully bypassed hurdles using MySQL’s comment syntax, enabling successful SQL injection. The discovery led to the escalation of the vulnerability to achieve Remote Code Execution (RCE), allowing attackers to write files to the system’s directory with root privileges. The researchers demonstrated a complete system compromise, emphasizing the severity of the situation.
Organizations using FortiWeb are strongly urged to update their systems to patched versions immediately. Fortinet has provided specific upgrade details for various versions, and interim measures include disabling the HTTP/HTTPS administrative interface to prevent potential exploitation. This vulnerability not only endangers sensitive data but could also allow systems to be leveraged for further attacks, resulting in substantial financial and reputational losses.