An improper neutralization of special elements used in an SQL command ('SQL Injection') vulnerability [CWE-89] in Fortinet FortiWeb version 7.6.0 through 7.6.3, 7.4.0 through 7.4.7, 7.2.0 through 7.2.10 and below 7.0.10 allows an unauthenticated attacker to execute unauthorized SQL code or commands via crafted HTTP or HTTPs requests.
https://thehackernews.com/2025/07/cisco-warns-of-critical-ise-flaw.html
https://hackread.com/critical-vulnerability-fortinet-fortiweb-cve-2025-25257/
https://thehackernews.com/2025/07/fortinet-releases-patch-for-critical.html
https://pwner.gg/blog/2025-07-10-fortiweb-fabric-rce
https://www.securityweek.com/ivanti-fortinet-splunk-release-security-updates/
Published: 2025-07-17
Updated: 2025-07-21
Known Exploited Vulnerability (KEV)
Base Score: 10
Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C
Severity: Critical
Base Score: 9.8
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Severity: Critical
EPSS: 0.00131
Tenable Research has classified this CVE under the following Vulnerability Watch classification, which includes active and historical (inactive) classifications. You can learn more about these classifications on our blog.
Vulnerability of Interest