{"uuid": "8e8d20dc-fdfa-49d1-948e-61e14e28462b", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "title": "FortiWeb - Unauthenticated SQL injection in GUI", "description": "# PSIRT | FortiGuard Labs\nUnauthenticated SQL injection in GUI\n------------------------------------\n\n### Summary\n\nAn improper neutralization of special elements used in an SQL command ('SQL Injection') vulnerability \\[CWE-89\\] in FortiWeb may allow an unauthenticated attacker to execute unauthorized SQL code or commands via crafted HTTP or HTTPs requests.\n\n\n|Version     |Affected            |Solution                   |\n|------------|--------------------|---------------------------|\n|FortiWeb 7.6|7.6.0 through 7.6.3 |Upgrade to 7.6.4 or above  |\n|FortiWeb 7.4|7.4.0 through 7.4.7 |Upgrade to 7.4.8 or above  |\n|FortiWeb 7.2|7.2.0 through 7.2.10|Upgrade to 7.2.11 or above |\n|FortiWeb 7.0|7.0.0 through 7.0.10|Upgrade to 7.0.11 or above |\n\n\n### Workaround\n\nDisable HTTP/HTTPS administrative interface\n\n### Acknowledgement\n\nFortinet is pleased to thank Kentaro Kawane from GMO Cybersecurity by Ierae for reporting this vulnerability under responsible disclosure.\n\n### Timeline\n\n2025-07-08: Initial publication\n\nRef: [https://fortiguard.fortinet.com/psirt/FG-IR-25-151](https://fortiguard.fortinet.com/psirt/FG-IR-25-151)", "description_format": "markdown", "vulnerability": "CVE-2025-25257", "creation_timestamp": "2025-07-11T07:02:48.563599+00:00", "timestamp": "2025-07-11T07:03:41.794087+00:00", "related_vulnerabilities": [], "meta": [{"tags": ["vulnerability:exploitability=documented"]}], "author": {"login": "sync_user", "name": "sync_user", "uuid": "4f29edb9-4c4b-44ca-b041-9b050656b6ae"}}