FortiWeb Vulnerability: SQL Injection to Remote Code Execution

What Happened

A serious vulnerability has been discovered in the FortiWeb Fabric Connector version 7.6.x. This flaw allows attackers to exploit a SQL injection vulnerability, which can lead to remote code execution. Additionally, a newly identified authentication bypass vulnerability (CVE-2025-64446) affects multiple versions of FortiWeb, including 7.6.x, allowing unauthenticated attackers to gain administrative access. This poses a significant risk as hackers can potentially run their own malicious code on the affected systems without any physical access.

The SQL injection vulnerability occurs when user input is not properly sanitized, allowing attackers to manipulate database queries. By exploiting this weakness, they can execute arbitrary commands on the server, making it a critical risk for organizations using this software. Immediate action is required to protect sensitive data and systems from potential breaches.

New Exploit Details

Recent findings reveal that the vulnerability extends to FortiWeb versions below 7.6.7, 7.8.7, and 8.0.2, with a CVSS score of 9.8, indicating a critical severity level. The exploit allows attackers to gain full system compromise, including the ability to execute arbitrary code remotely via a crafted payload. The exploit was documented by security researcher Mohammed Idrees Banyamer, who provided detailed instructions on executing the attack, emphasizing the potential for root reverse shell access.

Why Should You Care

If you or your organization uses FortiWeb Fabric Connector 7.6.x, this vulnerability could put your data at risk. Imagine leaving your front door unlocked; anyone can walk in and take whatever they want. In this case, hackers could gain access to your sensitive information, leading to data theft or even system compromise.

This vulnerability is particularly concerning because it affects web applications that rely on FortiWeb for security. Your business operations, customer data, and reputation could all be at stake. If you think your organization is safe, remember that even a small oversight in security can lead to significant consequences.

What's Being Done

Fortinet, the company behind FortiWeb, is aware of this vulnerability and is working on a patch to fix the issue. In the meantime, here are some steps you should take:

• Update your FortiWeb Fabric Connector to the latest version as soon as it’s available.
• Review your application logs for any suspicious activity that may indicate exploitation attempts.
• Implement additional security measures, such as web application firewalls, to protect against SQL injection attacks.

Experts are closely monitoring the situation for any signs of active exploitation. Stay informed and be proactive to safeguard your systems.

Additional Vulnerabilities

In addition to the SQL injection vulnerability, a critical authentication bypass vulnerability (CVE-2025-64446) has been identified in FortiWeb versions 7.0.x to 8.0.1. This flaw allows unauthenticated attackers to send specially crafted HTTP/HTTPS requests, potentially granting them administrative access without needing valid credentials. The CVSS score for this vulnerability is 9.8, indicating a critical severity level.

Mitigation Steps

If immediate patching is not possible for the authentication bypass vulnerability, consider the following mitigations:

1. Disable public HTTP/HTTPS administrative access.
2. Restrict admin interfaces to trusted internal networks.
3. Use firewall rules to limit admin-port access.
4. Monitor logs for traversal-like patterns.

Upgrade to the nearest patched version as soon as possible to mitigate both vulnerabilities and protect your systems.