Fortinet FortiWeb Fabric Connector Flaw Enables Remote Code Execution

Security researchers have identified a severe pre-authentication SQL injection vulnerability in Fortinet’s FortiWeb Fabric Connector, designated as CVE-2025-25257, that allows unauthenticated attackers to execute unauthorized SQL commands and potentially achieve remote code execution.

The vulnerability affects multiple versions of FortiWeb, including 7.6.0 through 7.6.3, 7.4.0 through 7.4.7, 7.2.0 through 7.2.10, and 7.0.0 through 7.0.10, with patches available in newer versions.

FortiWeb’s Fabric Connector serves as integration middleware between FortiWeb web application firewalls and other Fortinet ecosystem products, enabling dynamic security policy updates based on real-time infrastructure changes and threat intelligence.

Technical Details of the SQL Injection Flaw

The vulnerability stems from improper input sanitization in the get_fabric_user_by_token function within FortiWeb’s authentication mechanism.

Researchers discovered that the function directly incorporates user-controlled input from HTTP Authorization headers into SQL queries without ...