TT-CSIRT – 441.10.07.25 - Fortinet Security Advisories

TT-CSIRT – 441.10.07.25 – Fortinet Security Advisories – SQL injection in GUI

By
July 10, 2025July 10, 2025

Please be advised of the critical vulnerability CVE-2025-25257, which affects FortiWeb. This issue stems from improper handling of special characters in SQL commands, leading to a SQL Injection vulnerability (CWE-89). This vulnerability enables an attacker to execute unauthorized SQL code by sending specially crafted HTTP or HTTPS requests.

Affected Versions and solutions:

Version	Affected	Solution
FortiWeb 7.6	7.6.0 through 7.6.3	Upgrade to 7.6.4 or above
FortiWeb 7.4	7.4.0 through 7.4.7	Upgrade to 7.4.8 or above
FortiWeb 7.2	7.2.0 through 7.2.10	Upgrade to 7.2.11 or above
FortiWeb 7.0	7.0.0 through 7.0.10	Upgrade to 7.0.11 or above

Workaround

Disable HTTP/HTTPS administrative interface

References:

https://www.fortiguard.com/psirt/FG-IR-25-151

If you have any queries, comments or require assistance, please feel free to contact TT-CSIRT via contacts@ttcsirt.gov.tt

M	T	W	T	F	S	S
	1	2	3	4	5	6
7	8	9	10	11	12	13
14	15	16	17	18	19	20
21	22	23	24	25	26	27
28	29	30	31

TT-CSIRT – 441.10.07.25 – Fortinet Security Advisories – SQL injection in GUI

TT-CSIRT – 441.10.07.25 – Fortinet Security Advisories – SQL injection in GUI

Quick Navigation

Partner Agencies

Subscribe to Stay Updated!

Follow on social media: