A simple mistake with big consequences

Fortinet has pushed an urgent update for its FortiWeb web-application firewall after researchers uncovered a critical weakness that lets anyone on the internet run their own database commands on unprotected systems. The defect, catalogued as CVE-2025-25257 and rated 9.6 on the CVSS danger scale, stems from an SQL-injection issue—industry shorthand for a bug that lets hostile data slip straight into a database query. In plain terms, an attacker does not need a password or any special access; a specially crafted request aimed at a vulnerable FortiWeb device can trick the product into executing whatever SQL statements the attacker chooses.

How the bug was found and why it matters

The slip-up was spotted by Kentaro Kawane of GMO Cybersecurity, the same security specialist who recently flagged several headline-grabbing problems in Cisco’s Identity Services Engine. watchTowr Labs later published a deep dive explaining that the vulnerable code lives in a helper routine named get_fabric_user_by_token, which the appliance calls whenever it tries to check whether a request is allowed to talk to other Fortinet hardware. The function swallows the value of the “Bearer” token that rides inside an HTTP Authorization header and uses it directly inside a database query—without cleansing it first. Because the query runs under the high-privilege “mysql” account, a crook can go further than reading data: they can tack on commands such as SELECT ... INTO OUTFILE to drop malicious files onto the underlying operating system.

Which releases need attention now

Not every build of FortiWeb is exposed, but a long string of them are. Fortinet says customers running version 7.6 starting with the initial 7.6.0 up through 7.6.3 should move up to 7.6.4 or newer. The same advice applies to the 7.4 track—every release from 7.4.0 through 7.4.7 must be replaced by 7.4.8 or later. Devices on the 7.2 branch, spanning 7.2.0 to 7.2.10, need 7.2.11, while anyone still on 7.0 versions 7.0.0 through 7.0.10 should install 7.0.11 right away. Fortinet’s wording leaves no room for doubt: if your FortiWeb build falls within those ranges, install the fixed firmware as soon as possible.

The patch, the fix, and the pressure

In its advisory, Fortinet notes that the remedied code now swaps the unsafe string-building technique for prepared statements—a safer approach that separates the query structure from the data a user supplies. That change blocks the user-supplied token from being interpreted as SQL, slamming the door on the attack vector. But code published by watchTowr makes it clear how easily crooks could weaponize the old behavior, and Fortinet devices have been popular targets for ransomware gangs and nation-state crews alike. Given that history, defenders cannot assume they have the luxury of waiting.

Stop-gap defenses if you can’t patch today

Admins who cannot roll out the new firmware in the next few hours still have options, though none are as good as updating. Fortinet recommends shutting off the web-based administrative interface—both plain HTTP and encrypted HTTPS—until patches are in place. Doing so removes the most attractive pathway for the attack. As always, teams should also block management access from the open internet, require multi-factor authentication where possible, and keep a close watch on logs for strange database queries or sudden file-creation events that might signal an exploit attempt.

Why immediate action is the safest choice

Fortinet gear is everywhere from small retail outlets to massive cloud environments, and earlier flaws in the same product line have ended up in automated exploit kits within days of disclosure. Now that the technical write-up is public, criminals do not need to start from scratch; they can borrow the proof-of-concept and spray it across the internet in search of lagging systems. That means every hour of delay increases the window during which an attacker could quietly add a new admin user, siphon sensitive business data, or pivot deeper into the network.

In short, if you run FortiWeb to shield your web applications, treat this week’s patch as a top-priority job. Download the fixed release, schedule a maintenance window, and get it installed. Then double-check that the management portal is only reachable from trusted addresses, audit your database for strange new tables or files, and keep an eye on vendor alerts for any follow-up guidance. The flaw is serious, but with prompt updates and a little extra vigilance, you can stay one step ahead of the attackers waiting to pounce.