← Volver a CVEs

CVE-2025-25257

CRITICALCISA KEV

9.8

Descripcion

An improper neutralization of special elements used in an SQL command ('SQL Injection') vulnerability [CWE-89] vulnerability in Fortinet FortiWeb 7.6.0 through 7.6.3, FortiWeb 7.4.0 through 7.4.7, FortiWeb 7.2.0 through 7.2.10, FortiWeb 7.0.0 through 7.0.10 allows an unauthenticated attacker to execute unauthorized SQL code or commands via crafted HTTP or HTTPs requests.

Detalles CVE

Puntuacion CVSS v3.19.8

SeveridadCRITICAL

Vector CVSSCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Vector de ataqueNETWORK

ComplejidadLOW

Privilegios requeridosNONE

Interaccion usuarioNONE

Publicado7/17/2025

Ultima modificacion2/20/2026

Fuentekev

Avistamientos honeypot0

CISA KEV

VendedorFortinet

ProductoFortiWeb

Nombre vulnerabilidadFortinet FortiWeb SQL Injection Vulnerability

Fecha inclusion KEV2025-07-18

Fecha limite remediacion2025-08-08

Uso en ransomwareUnknown

Productos afectados

fortinet:fortiweb

Debilidades (CWE)

CWE-89CWE-89

Referencias

https://fortiguard.fortinet.com/psirt/FG-IR-25-151(psirt@fortinet.com)

https://packetstorm.news/files/id/210193/(af854a3a-2127-422b-91ae-364da2661108)

https://www.exploit-db.com/exploits/52473(af854a3a-2127-422b-91ae-364da2661108)

https://github.com/0xbigshaq/CVE-2025-25257(134c704f-9b21-4f2e-91b3-4a467353bcc0)

https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-25257(134c704f-9b21-4f2e-91b3-4a467353bcc0)

Correlaciones IOC

Sin correlaciones registradas

This product uses data from the NVD API but is not endorsed or certified by the NVD.