← Retour aux CVEs

CVE-2025-25257

CRITICALCISA KEV

9.8

Description

An improper neutralization of special elements used in an SQL command ('SQL Injection') vulnerability [CWE-89] vulnerability in Fortinet FortiWeb 7.6.0 through 7.6.3, FortiWeb 7.4.0 through 7.4.7, FortiWeb 7.2.0 through 7.2.10, FortiWeb 7.0.0 through 7.0.10 allows an unauthenticated attacker to execute unauthorized SQL code or commands via crafted HTTP or HTTPs requests.

Details CVE

Score CVSS v3.19.8

SeveriteCRITICAL

Vecteur CVSSCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Vecteur d'attaqueNETWORK

ComplexiteLOW

Privileges requisNONE

Interaction utilisateurNONE

Publie7/17/2025

Derniere modification2/20/2026

Sourcekev

Observations honeypot0

CISA KEV

FournisseurFortinet

ProduitFortiWeb

Nom vulnerabiliteFortinet FortiWeb SQL Injection Vulnerability

Date ajout KEV2025-07-18

Date limite remediation2025-08-08

Utilise dans ransomwareUnknown

Produits affectes

fortinet:fortiweb

Faiblesses (CWE)

CWE-89CWE-89

References

https://fortiguard.fortinet.com/psirt/FG-IR-25-151(psirt@fortinet.com)

https://packetstorm.news/files/id/210193/(af854a3a-2127-422b-91ae-364da2661108)

https://www.exploit-db.com/exploits/52473(af854a3a-2127-422b-91ae-364da2661108)

https://github.com/0xbigshaq/CVE-2025-25257(134c704f-9b21-4f2e-91b3-4a467353bcc0)

https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-25257(134c704f-9b21-4f2e-91b3-4a467353bcc0)

Correlations IOC

Aucune correlation enregistree

This product uses data from the NVD API but is not endorsed or certified by the NVD.