FortiWeb SQL Injection Vulnerability Allows Attackers to Execute Malicious SQL Commands
gbhackersA critical security vulnerability has been discovered in Fortinet’s FortiWeb web application firewall that allows unauthenticated attackers to execute malicious SQL commands through the device’s graphical user interface.
The flaw, designated as CVE-2025-25257, poses significant risks to organizations relying on FortiWeb for web application protection.
Vulnerability Details
The vulnerability stems from improper neutralization of special elements used in SQL commands, classified as CWE-89 in the Common Weakness Enumeration database.
| Field | Value |
|---|---|
| CVE ID | CVE-2025-25257 |
| Severity | Critical |
| CVSS v3 Score | 9.6 |
| CWE Classification | CWE-89 (SQL Injection) |
Attackers can exploit this flaw by sending specially crafted HTTP or HTTPS requests to the FortiWeb management interface, enabling them to execute unauthorized SQL code without requiring authentication credentials.
Fortinet has assigned this vulnerability a Critical severity rating with a CVSS v3 score of 9.6, indicating the potential for complete system compromise.
The high severity reflects the vulnerability’s network accessibility ...
Copyright of this story solely belongs to gbhackers . To see the full text click HERE