You are currently viewing Token Based SQLi in FortiWeb: Users Urged to Patch this Critical Flaw

Token Based SQLi in FortiWeb: Users Urged to Patch this Critical Flaw

A critical security vulnerability, CVE-2025-25257, has been discovered in FortiWeb web application firewalls, potentially allowing unauthenticated attackers to execute unauthorized SQL commands. This vulnerability, classified as CWE-89 (Improper Neutralization of Special Elements used in an SQL Command), poses a significant threat to organizations that rely on FortiWeb for web application security.

Vulnerability and Exploit Details

The FortiWeb SQL injection vulnerability stems from improper input validation mechanisms within the product’s GUI component. An attacker can exploit this flaw by sending malicious HTTP or HTTPS requests containing specially crafted SQL payloads, bypassing the application’s security controls. This allows for SQL injection attacks, where malicious SQL code is injected into database queries, potentially enabling attackers to read, modify, or delete sensitive data stored in the backend database.

The flaw was discovered by comparing the /bin/httpsd endpoint, specifically the get_fabric_user_by_token function, in versions 7.6.3 and 7.6.4. In the older version, user-controlled input was inserted directly into the function without sanitization. This function is typically invoked by other Fortinet products authenticating to the FortiWeb API, meaning that supplying a crafted query here allows an attacker to bypass authentication entirely.

To understand how the exploit works, let’s first examine the fabric_access_check function that calls get_fabric_user_by_token. Here’s what it does:

  1. It retrieves the Authorization header from the incoming HTTP request.
  2. It uses a standard libc function to parse the header, expecting it to begin with Bearer up to 128 characters.
  3. It then calls the vulnerable get_fabric_user_by_token function without any sanitization.

Because there’s no validation or escaping before the input is passed into the MySQL query, an attacker can insert an SQL injection payload via the Bearer header. For example:

GET /api/fabric/device/status HTTP/1.1
Host: {host-ip}
Authorization: Bearer AAAAAA'or'1'='1

This lets the attacker bypass authentication completely

Affected Versions

The vulnerability affects multiple FortiWeb versions across different release branches:

  • FortiWeb 7.6.0–7.6.3
  • FortiWeb 7.4.0–7.4.7
  • FortiWeb 7.2.0–7.2.10
  • FortiWeb 7.0.0–7.0.10

Impact

Successful exploitation of this vulnerability could lead to:

  • Complete system compromise
  • Data exfiltration
  • Service disruption
  • Lateral movement within the network infrastructure

Mitigation & Remediation

To mitigate this vulnerability, it is crucial to take the following steps:

  • Immediate Upgrade: Organizations should upgrade their FortiWeb installations to the patched versions specified for each affected branch. The patched versions are:
    • FortiWeb 7.6.4 or above
    • FortiWeb 7.4.8 or above
    • FortiWeb 7.2.11 or above
    • FortiWeb 7.0.11 or above
  • Interim Workaround: As an interim workaround, administrators can disable the HTTP/HTTPS administrative interface to reduce the attack surface until patching is completed.

Tactics, Techniques, and Procedures (TTPs)

Attackers can exploit this vulnerability using the following TTPs:

TA0001 – Initial Access: Attackers gain initial access by sending specially crafted HTTP or HTTPS requests to the FortiWeb management interface.

TA0002 – Execution: Attackers exploit the SQL injection vulnerability to execute unauthorized SQL code.

T1210 – Exploitation of Remote Services: Attackers exploit the remote services to gain unauthorized access.

T1190 – Exploit Public-Facing Application: Using an SQL Injection attack on the public-facing application.

Instantly Fix Risks with Saner Patch Management

Saner patch management is a continuous, automated, and integrated software that instantly fixes risks exploited in the wild. The software supports major operating systems like Windows, Linux, and macOS, as well as 550+ third-party applications.

It also allows you to set up a safe testing area to test patches before deploying them in a primary production environment. Saner patch management additionally supports a patch rollback feature in case of patch failure or a system malfunction.

Experience the fastest and most accurate patching software here.