Fortinet has issued security updates for a critical SQL injection vulnerability in FortiWeb, which could allow attackers to execute arbitrary database commands. This flaw impacts multiple versions and is rooted in improper input sanitization in specific API functions. #FortiWeb #SQLInjection
Keypoints
- Fortinet released patches for a high-severity vulnerability in FortiWeb devices.
- The flaw (CVE-2025-25257) enables unauthenticated attackers to run arbitrary SQL commands.
- The vulnerability affects FortiWeb versions 7.6.0 to 7.6.3, 7.4.0 to 7.4.7, 7.2.0 to 7.2.10, and 7.0.0 to 7.0.10.
- The issue is caused by improper sanitization of bearer tokens passed to SQL queries in certain API endpoints.
- Users are advised to upgrade to the latest firmware versions and temporarily disable the HTTP/HTTPS interface to reduce risk.
Read More: https://thehackernews.com/2025/07/fortinet-releases-patch-for-critical.html