CVE CVE

CVE-2025-25257

CISA Known Exploited Vulnerability (KEV)

Fortinet FortiWeb SQL Injection Vulnerability

July 18, 2025

August 8, 2025

Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

Description

An improper neutralization of special elements used in an SQL command (‘SQL Injection’) vulnerability [CWE-89] in Fortinet FortiWeb version 7.6.0 through 7.6.3, 7.4.0 through 7.4.7, 7.2.0 through 7.2.10 and below 7.0.10 allows an unauthenticated attacker to execute unauthorized SQL code or commands via crafted HTTP or HTTPs requests.

Weakness Enumeration

CWE-ID CWE Name

CWE-89
Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’)

Known Affected Software Configurations


cpe:2.3:a:fortinet:fortiweb:7.6.3:*:*:*:*:*:*:*

cpe:2.3:a:fortinet:fortiweb:7.4.6:*:*:*:*:*:*:*

cpe:2.3:a:fortinet:fortiweb:7.2.11:*:*:*:*:*:*:*

cpe:2.3:a:fortinet:fortiweb:7.0.11:*:*:*:*:*:*:*

cpe:2.3:a:fortinet:fortiweb:7.4.7:*:*:*:*:*:*:*

cpe:2.3:a:fortinet:fortiweb:7.6.1:*:*:*:*:*:*:*

cpe:2.3:a:fortinet:fortiweb:7.6.2:*:*:*:*:*:*:*

cpe:2.3:a:fortinet:fortiweb:7.0.8:*:*:*:*:*:*:*

cpe:2.3:a:fortinet:fortiweb:5.6.2:*:*:*:*:*:*:*

cpe:2.3:a:fortinet:fortiweb:5.8.7:*:*:*:*:*:*:*

cpe:2.3:a:fortinet:fortiweb:7.4.4:*:*:*:*:*:*:*

cpe:2.3:a:fortinet:fortiweb:6.1.4:*:*:*:*:*:*:*

cpe:2.3:a:fortinet:fortiweb:7.4.1:*:*:*:*:*:*:*

cpe:2.3:a:fortinet:fortiweb:7.4.5:*:*:*:*:*:*:*

cpe:2.3:a:fortinet:fortiweb:7.6.0:*:*:*:*:*:*:*

cpe:2.3:a:fortinet:fortiweb:5.7.3:*:*:*:*:*:*:*

cpe:2.3:a:fortinet:fortiweb:7.4.3:*:*:*:*:*:*:*

cpe:2.3:a:fortinet:fortiweb:7.0.9:*:*:*:*:*:*:*

cpe:2.3:a:fortinet:fortiweb:6.2.8:*:*:*:*:*:*:*

cpe:2.3:a:fortinet:fortiweb:7.2.10:*:*:*:*:*:*:*

cpe:2.3:a:fortinet:fortiweb:7.0.5:*:*:*:*:*:*:*

cpe:2.3:a:fortinet:fortiweb:7.2.9:*:*:*:*:*:*:*

cpe:2.3:a:fortinet:fortiweb:7.2.3:*:*:*:*:*:*:*

cpe:2.3:a:fortinet:fortiweb:7.2.4:*:*:*:*:*:*:*

cpe:2.3:a:fortinet:fortiweb:7.0.6:*:*:*:*:*:*:*

cpe:2.3:a:fortinet:fortiweb:7.2.7:*:*:*:*:*:*:*

cpe:2.3:a:fortinet:fortiweb:7.2.6:*:*:*:*:*:*:*

cpe:2.3:a:fortinet:fortiweb:7.0.7:*:*:*:*:*:*:*

cpe:2.3:a:fortinet:fortiweb:7.2.5:*:*:*:*:*:*:*

cpe:2.3:a:fortinet:fortiweb:7.2.8:*:*:*:*:*:*:*

cpe:2.3:a:fortinet:fortiweb:6.3.23:*:*:*:*:*:*:*

cpe:2.3:a:fortinet:fortiweb:7.2.2:*:*:*:*:*:*:*

cpe:2.3:a:fortinet:fortiweb:7.0.10:*:*:*:*:*:*:*

cpe:2.3:a:fortinet:fortiweb:7.4.2:*:*:*:*:*:*:*

cpe:2.3:a:fortinet:fortiweb:7.4.0:*:*:*:*:*:*:*

cpe:2.3:a:fortinet:fortiweb:6.4.3:*:*:*:*:*:*:*

cpe:2.3:a:fortinet:fortiweb:7.2.1:*:*:*:*:*:*:*

cpe:2.3:a:fortinet:fortiweb:7.2.0:*:*:*:*:*:*:*

cpe:2.3:a:fortinet:fortiweb:6.3.22:*:*:*:*:*:*:*

cpe:2.3:a:fortinet:fortiweb:7.0.4:*:*:*:*:*:*:*

cpe:2.3:a:fortinet:fortiweb:6.3.20:*:*:*:*:*:*:*

cpe:2.3:a:fortinet:fortiweb:6.3.21:*:*:*:*:*:*:*

cpe:2.3:a:fortinet:fortiweb:7.0.3:*:*:*:*:*:*:*

cpe:2.3:a:fortinet:fortiweb:5.9.2:*:*:*:*:*:*:*

cpe:2.3:a:fortinet:fortiweb:6.3.18:*:*:*:*:*:*:*

cpe:2.3:a:fortinet:fortiweb:6.3.19:*:*:*:*:*:*:*

cpe:2.3:a:fortinet:fortiweb:6.1.3:*:*:*:*:*:*:*

cpe:2.3:a:fortinet:fortiweb:6.0.8:*:*:*:*:*:*:*

cpe:2.3:a:fortinet:fortiweb:7.0.0:*:*:*:*:*:*:*

cpe:2.3:a:fortinet:fortiweb:7.0.1:*:*:*:*:*:*:*

cpe:2.3:a:fortinet:fortiweb:7.0.2:*:*:*:*:*:*:*

cpe:2.3:a:fortinet:fortiweb:6.3.17:*:*:*:*:*:*:*

cpe:2.3:a:fortinet:fortiweb:6.2.7:*:*:*:*:*:*:*

cpe:2.3:a:fortinet:fortiweb:6.3.16:*:*:*:*:*:*:*

cpe:2.3:a:fortinet:fortiweb:6.4.2:*:*:*:*:*:*:*

cpe:2.3:a:fortinet:fortiweb:6.2.6:*:*:*:*:*:*:*

cpe:2.3:a:fortinet:fortiweb:6.1.2:*:*:*:*:*:*:*

cpe:2.3:a:fortinet:fortiweb:6.4.1:*:*:*:*:*:*:*

cpe:2.3:a:fortinet:fortiweb:6.4.0:*:*:*:*:*:*:*

cpe:2.3:a:fortinet:fortiweb:6.3.12:*:*:*:*:*:*:*

cpe:2.3:a:fortinet:fortiweb:6.3.13:*:*:*:*:*:*:*

cpe:2.3:a:fortinet:fortiweb:6.3.14:*:*:*:*:*:*:*

cpe:2.3:a:fortinet:fortiweb:6.3.15:*:*:*:*:*:*:*

cpe:2.3:a:fortinet:fortiweb:6.2.5:*:*:*:*:*:*:*

cpe:2.3:a:fortinet:fortiweb:6.3.8:*:*:*:*:*:*:*

cpe:2.3:a:fortinet:fortiweb:6.3.10:*:*:*:*:*:*:*

cpe:2.3:a:fortinet:fortiweb:6.3.11:*:*:*:*:*:*:*

cpe:2.3:a:fortinet:fortiweb:6.3.1:*:*:*:*:*:*:*

cpe:2.3:a:fortinet:fortiweb:6.3.2:*:*:*:*:*:*:*

cpe:2.3:a:fortinet:fortiweb:6.3.3:*:*:*:*:*:*:*

cpe:2.3:a:fortinet:fortiweb:6.3.4:*:*:*:*:*:*:*

cpe:2.3:a:fortinet:fortiweb:6.3.6:*:*:*:*:*:*:*

cpe:2.3:a:fortinet:fortiweb:6.3.9:*:*:*:*:*:*:*

cpe:2.3:a:fortinet:fortiweb:6.0.6:*:*:*:*:*:*:*

cpe:2.3:a:fortinet:fortiweb:6.0.7:*:*:*:*:*:*:*

cpe:2.3:a:fortinet:fortiweb:6.2.3:*:*:*:*:*:*:*

cpe:2.3:a:fortinet:fortiweb:6.3.5:*:*:*:*:*:*:*

cpe:2.3:a:fortinet:fortiweb:6.3.7:*:*:*:*:*:*:*

cpe:2.3:a:fortinet:fortiweb:6.2.4:*:*:*:*:*:*:*

cpe:2.3:a:fortinet:fortiweb:4.4.4:*:*:*:*:*:*:*

cpe:2.3:a:fortinet:fortiweb:6.3.0:*:*:*:*:*:*:*

cpe:2.3:a:fortinet:fortiweb:6.2.2:*:*:*:*:*:*:*

cpe:2.3:a:fortinet:fortiweb:6.2.1:*:*:*:*:*:*:*

cpe:2.3:a:fortinet:fortiweb:6.2.0:*:*:*:*:*:*:*

cpe:2.3:a:fortinet:fortiweb:6.1.1:*:*:*:*:*:*:*

cpe:2.3:a:fortinet:fortiweb:6.1.0:*:*:*:*:*:*:*

cpe:2.3:a:fortinet:fortiweb:6.0.5:*:*:*:*:*:*:*

cpe:2.3:a:fortinet:fortiweb:6.0.4:*:*:*:*:*:*:*

cpe:2.3:a:fortinet:fortiweb:6.0.3:*:*:*:*:*:*:*

cpe:2.3:a:fortinet:fortiweb:6.0.2:*:*:*:*:*:*:*

cpe:2.3:a:fortinet:fortiweb:6.0.1:*:*:*:*:*:*:*

cpe:2.3:a:fortinet:fortiweb:6.0.0:*:*:*:*:*:*:*

cpe:2.3:a:fortinet:fortiweb:5.9.1:*:*:*:*:*:*:*

cpe:2.3:a:fortinet:fortiweb:5.9.0:*:*:*:*:*:*:*

cpe:2.3:a:fortinet:fortiweb:5.8.6:*:*:*:*:*:*:*

cpe:2.3:a:fortinet:fortiweb:5.8.5:*:*:*:*:*:*:*

cpe:2.3:a:fortinet:fortiweb:5.8.4:*:*:*:*:*:*:*

cpe:2.3:a:fortinet:fortiweb:5.8.3:*:*:*:*:*:*:*

cpe:2.3:a:fortinet:fortiweb:5.8.2:*:*:*:*:*:*:*

cpe:2.3:a:fortinet:fortiweb:5.8.1:*:*:*:*:*:*:*

Details

Source:
NVD
Published:
Updated:

Risk information

CVSS v3

Base score:
9.8
Severity:

CRITICAL

Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS v2

Not defined