A high-severity SQL injection vulnerability, CVE-2025-25257, in Fortinet FortiWeb enables pre-authenticated remote code execution (RCE). It has a a CVSS score of 9.8. Review the details in this Cybersecurity Threat Advisory to keep your environment safe.
What is the threat?
CVE-2025-25257 stems from an SQL injection flaw in FortiWeb’s Fabric Connector, specifically in the get_fabric_user_by_token() function that fails to properly sanitize bearer tokens in HTTP request headers. A threat actor can exploit this vulnerability by sending crafted HTTP or HTTPS requests to the /api/fabric/device/status endpoint and inject SQL code into the Authorization header. This allows attackers to bypass authentication checks and potentially escalate to RCE by writing malicious files to the system that are automatically executed when certain Python scripts are run.
Why is this noteworthy?
A pre-authentication SQL injection vulnerability in a web application firewall like FortiWeb is particularly concerning as these devices are specifically deployed to protect other web applications from threats. In addition, this vulnerability can enable attackers to escalate to full RCE using MySQL’s file creation capabilities.
What is the exposure or risk?
Organizations running unpatched versions of Fortinet FortiWeb face significant risks of unauthorized access and system compromise. A successful exploit could compromise the WAF and expose the web applications it’s meant to protect. Attackers who successfully exploit this vulnerability can achieve pre-authenticated RCE with the ability to:
- Execute arbitrary commands on the FortiWeb device.
- Move laterally to other systems in the network.
- Access sensitive data protected by the WAF.
- Disrupt security operations by compromising the WAF itself.
What are the recommendations?
Barracuda recommends the following actions to keep your environment secure against this threat:
- Update FortiWeb installations immediately to patched versions (FortiWeb 7.6.4, 7.4.8, 7.2.11, 7.0.11 or later) to protect against unauthorized access.
- Monitor FortiWeb systems for suspicious activities, particularly unusual HTTP requests to the /api/fabric/device/status endpoint.
How can Barracuda protect you against this threat?
Barracuda’s Managed Vulnerability Security service proactively detects vulnerable FortiWeb installations across your infrastructure before an exploit can take place. This fully managed service identifies and prioritizes vulnerabilities across servers, endpoints, network devices, and cloud infrastructure.
When combined with Barracuda Managed XDR, it enables a defense-in-depth strategy, closing security gaps while also identifying suspicious login events and lateral movement that might indicate exploitation attempts. This unified approach—integrating vulnerability scanning with XDR’s detection engine—helps organizations stay ahead of advanced threats, reduce vendor complexity, and strengthen their overall security posture against vulnerabilities like this.
Reference
For more in-depth information about the recommendations, please visit the following link:
If you have any questions about this Cybersecurity Threat Advisory, don’t hesitate to get in touch with Barracuda Managed XDR’s Security Operations Center.
This post originally appeared on Smarter MSP.