CVE Alert: CVE-2025-25257 – Fortinet – FortiWeb

Risk verdict

Critical risk: unauthenticated SQL injection on the affected web application firewall with active exploitation and a CISA KEV listing; treat as priority 1.

Why this matters

Successful exploitation could read or alter sensitive data, bypass authentication, or command back-end systems, with rapid automation possible due to no user interaction. The impact is high for organisations storing customer data or relying on this device for public-facing security controls.

Most likely attack path

Remote, network-based exploitation via crafted HTTP/HTTPS requests; no credentials or user interaction required. The attacker can inject SQL through vulnerable input surfaces, enabling data access or modification while the scope remains unchanged, allowing potential lateral movement into connected systems.

Who is most exposed

Organisations hosting internet-facing deployments of this appliance (perimeter/DMZ or front-end web assets) are most at risk, particularly where public apps rely on this product as a gatekeeper.

Detection ideas

• WAF logs showing repeated SQLi-pattern payloads (e.g., UNION SELECT, sleep(), tautologies) on login or data endpoints.
• Sudden spikes in 4xx/5xx responses or DB-related errors tied to specific URLs.
• Unusual, high-latency database queries or failed query patterns in application logs.
• Correlation with known exploitation indicators from KEV/advisories.

Mitigation and prioritisation

• Apply vendor-recommended patches to the latest available releases (do not rely on old builds).
• Enable strict SQLi detection rules and tighten input validation at the gateway.
• Restrict access to management surfaces; implement network segmentation and rate limiting; disable verbose error messages.
• Plan a change window for deployment and validate in a staging environment.
• Treat as priority 1 due to KEV presence and active exploitation.