Fortinet has patched a critical vulnerability in its FortiWeb Fabric Connector, tracked as CVE-2025-25257. This vulnerability, found by security researcher Sina Kheirkhah, is due to a poorly implemented function titled: “get_fabric_user_by_token.” The exploitable part of the vulnerability comes from pre-auth SQL injection that could be used to achieve pre-auth RCE.
The get_fabric_user_by_token function serves an important purpose in the Fabric Connector component. This new component serves as a connector, tying FortiWeb and other Fortinet products together. The security issue comes from attacker-controlled input that is blindly passed when included in a Bearer token Authorization header. That input is then directly appended to an SQL database query without proper sanitization, leaving a major security vulnerability open.
Vulnerability Details
The only reason this is particularly troubling is how it’s been weaponized. The “get_fabric_user_by_token” function is invoked by another function known as “fabric_access_check,” which is called from three specific API endpoints: “/api/fabric/device/status,” “/api/v[0-9]/fabric/widget/[a-z]+,” and “/api/v[0-9]/fabric/widget.” Any one of these endpoints could be fatal. A malicious actor would have been able to run arbitrary SQL commands if they were able to successfully forge the Bearer token.
Fortinet has given CVE-2025-25257 a truly bonkers CVSS score of 9.6 out of 10.0. This maximum score is intended to call attention to the grave threat that this vulnerability represents. The company has stated,
“An improper neutralization of special elements used in an SQL command (‘SQL Injection’) vulnerability [CWE-89] in FortiWeb may allow an unauthenticated attacker to execute unauthorized SQL code or commands via crafted HTTP or HTTPs requests.”
Remediation and Response
In response to this glaring shortcoming, Fortinet has made available a patch focused on mitigating the vulnerability. The redone version of the impacted function now uses prepared statements to avoid using the risky format-string query altogether. This release is an effort to proactively block basic SQL injection attacks. Sina Kheirkhah commented on the update:
“The new version of the function replaces the previous format-string query with prepared statements – a reasonable attempt to prevent straightforward SQL injection.”
If you or your organization uses FortiWeb, you need to take immediate action. Patch now to ensure your systems are not vulnerable to attacks that exploit this new vulnerability.
