CVE-2025-25257

CVE Database · CVE-2025-25257

CVE-2025-25257

· CRITICALAnalyzed

CVSS v3.1

9.8

EPSS

96.71%

Published

Jul 17, 2025

Modified

Feb 20, 2026

CISA Known Exploited Vulnerability

Added: 2025-07-18 · Due: 2025-08-08

Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

Public PoC / Exploit (11)

All weaponized →

Exploit-DBFortiWeb Fabric Connector 7.6.x - SQL Injection to Remote Code Execution NucleiNuclei detection template TrickestTrickest PoC index GitHub PoCwatchtowrlabs/watchTowr-vs-FortiWeb-CVE-2025-25257★98 GitHub PoC0xbigshaq/CVE-2025-25257★64 GitHub PoCTheStingR/CVE-2025-25257★5 GitHub PoCaitorfirm/CVE-2025-25257★1 GitHub PoCimbas007/CVE-2025-25257★1 GitHub PoC0xgh057r3c0n/CVE-2025-25257★1 GitHub PoCmrmtwoj/CVE-2025-25257★1 GitHub PoCsegfault-it/CVE-2025-25257★1

Links to public security research (Exploit-DB, Nuclei, Trickest, GitHub) for defensive use only.

Description

An improper neutralization of special elements used in an SQL command ('SQL Injection') vulnerability [CWE-89] vulnerability in Fortinet FortiWeb 7.6.0 through 7.6.3, FortiWeb 7.4.0 through 7.4.7, FortiWeb 7.2.0 through 7.2.10, FortiWeb 7.0.0 through 7.0.10 allows an unauthenticated attacker to execute unauthorized SQL code or commands via crafted HTTP or HTTPs requests.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Weaknesses (CWE)

CWE-89CWE-89

Affected Products (4)

fortinet · fortiweb (up to 7.0.11)vulnerable

fortinet · fortiweb (up to 7.2.11)vulnerable

fortinet · fortiweb (up to 7.4.8)vulnerable

fortinet · fortiweb (up to 7.6.4)vulnerable

References (5)

https://fortiguard.fortinet.com/psirt/FG-IR-25-151

Vendor Advisory