CVE-2025-25257: Urgent Pre-Auth RCE in FortiWeb Fabric Connector

A fresh vulnerability, CVE-2025-25257 (CVSS 9.6) in Fortinet’s FortiWeb Fabric Connector presents high risk globally. Although the CVE is still only in RESERVED status as of July 14th, 2025, it has already received a national CERT advisory from Belgium’s CERT.be and the Center for Internet Security (CIS) has also issued an alert. More alerts should follow shortly as CVE reaches PUBLISHED status.

Multiple public Proof of Concept (PoC) exploits [1][2] are available, further increasing the risk level.  Users should apply updates with urgency. Greenbone has issued a detection test for this flaw soon after its disclosure, allowing defenders to identify vulnerable systems across their networks. Let’s dig into the details of CVE-2025-25257 to find out what it’s all about.

CVE-2025-25257: Unauthenticated RCE in FortiWeb Fabric Connector

CVE-2025-25257 (CVSS 9.6) is an unauthenticated Remote Code Execution (RCE) flaw in Fortinet FortiWeb Fabric Connector with a critical impact score of CVSS 9.6. The flaw allows both SQL code and Python code to be executed on a victim’s system due to improper neutralization of HTTP headers. Shockingly, this vulnerability exists because the HTTP “Authorization:Bearer” header value is inserted into SQL queries without being sanitized [CWE-89] – which is an unforgivably poor software design. Full technical descriptions and exploits [1][2][3] have been published by watchTowr Labs and other security researchers. This means exploitation should now be considered trivial for all attackers of all skill levels.

In addition to all typical SQL Injection attacks, such as enumerating the database or modifying data, attackers can gain RCE by injecting SQL code to exploit MySQL’s INTO OUTFILE command. By writing an executable .pth file into Python’s site-packages directory (/usr/local/lib/python3.10/site-packages/ in the case of FortiWeb), it will be executed every time a Python script is run. This is because Python’s built-in initialization mechanism (site.py) is triggered during interpreter startup. FortiWeb’s web-based admin console also includes a Python-based CGI script (ml-draw.py), which can be triggered without authentication, completing the exploit-chain.

Although the vulnerability is not yet known to be exploited in the wild, its pre-auth RCE status and historical attacks against Fortinet products indicate that a low-hanging fruit such as CVE-2025-25257 is likely to be exploited soon after disclosure. FortiWeb Fabric Connector is not an edge service. However, local attackers may exploit it to modify FortiWeb WAF configurations, steal sensitive information, or install additional persistent malware.

What Is FortiWeb Fabric Connector?

FortiWeb itself is a Web Application Firewall (WAF), which can be considered an edge security device when deployed in that role. Fabric Connector is a system integration component, designed to facilitate automated coordination between FortiWeb WAF and other Fortinet products such as FortiGate and FortiManager. As other Fortinet devices generate threat data, Fabric Connector can convert that data into real-time security responses within FortiWeb. Luckily, the FortiWeb Fabric Connector is not an edge service, and therefore not typically accessible via the public Internet. However, as a WAF, FortiWeb devices are tasked with blocking malicious traffic from reaching webservers. Therefore, if attackers are able to alter its configuration, they could enable secondary attacks against web-based assets.

Mitigating CVE-2025-25257

CVE-2025-25257 affects FortiWeb versions 7.0.0 through 7.0.10, 7.2.0 through 7.2.10, 7.4.0 through 7.4.7, and 7.6.0 through 7.6.3. Users should upgrade immediately to versions 7.0.11, 7.2.11, 7.4.8 or 7.6.4 or later. If updating is not possible, Fortinet advises users to disable the FortiWeb HTTP/HTTPS administrative interface.

Summary

CVE-2025-25257 offers attackers unauthenticated RCE via Fortinet’s FortiWeb Fabric Connector HTTP API. The flaw is driven by a SQL injection vulnerability that has so far been leveraged to escalate privileges and execute Python code as well. Public PoCs and a national CERT advisory from CERT.be highlight the urgency to patch or otherwise remediate. Greenbone has issued detection tests for this flaw soon after its disclosure, allowing defenders to identify vulnerable systems across their networks.