vulnerability:exploitability=documented
Created on 2025-07-11 07:02 and updated on 2025-07-11 07:03.
Description
PSIRT | FortiGuard Labs
Unauthenticated SQL injection in GUI
Summary
An improper neutralization of special elements used in an SQL command ('SQL Injection') vulnerability [CWE-89] in FortiWeb may allow an unauthenticated attacker to execute unauthorized SQL code or commands via crafted HTTP or HTTPs requests.
| Version | Affected | Solution |
|---|---|---|
| FortiWeb 7.6 | 7.6.0 through 7.6.3 | Upgrade to 7.6.4 or above |
| FortiWeb 7.4 | 7.4.0 through 7.4.7 | Upgrade to 7.4.8 or above |
| FortiWeb 7.2 | 7.2.0 through 7.2.10 | Upgrade to 7.2.11 or above |
| FortiWeb 7.0 | 7.0.0 through 7.0.10 | Upgrade to 7.0.11 or above |
Workaround
Disable HTTP/HTTPS administrative interface
Acknowledgement
Fortinet is pleased to thank Kentaro Kawane from GMO Cybersecurity by Ierae for reporting this vulnerability under responsible disclosure.
Timeline
2025-07-08: Initial publication
Associated vulnerability
CVE-2025-25257Meta
[
{
"tags": [
"vulnerability:exploitability=documented"
]
}
]