PSIRT

Unauthenticated SQL injection in GUI

Summary

An improper neutralization of special elements used in an SQL command ('SQL Injection') vulnerability [CWE-89] in FortiWeb may allow an unauthenticated attacker to execute unauthorized SQL code or commands via crafted HTTP or HTTPs requests.

Fortinet has observed this to be exploited in the wild on FortiWeb.

Version	Affected	Solution
FortiWeb 7.6	7.6.0 through 7.6.3	Upgrade to 7.6.4 or above
FortiWeb 7.4	7.4.0 through 7.4.7	Upgrade to 7.4.8 or above
FortiWeb 7.2	7.2.0 through 7.2.10	Upgrade to 7.2.11 or above
FortiWeb 7.0	7.0.0 through 7.0.10	Upgrade to 7.0.11 or above
FortiWeb 6.4	Not affected	Not Applicable

Workaround

Disable HTTP/HTTPS administrative interface

Acknowledgement

Fortinet is pleased to thank Kentaro Kawane from GMO Cybersecurity by Ierae for reporting this vulnerability under responsible disclosure.

Timeline

2025-07-08: Initial publication
2025-07-18: CVE observed to be exploited

IR Number	FG-IR-25-151
Published Date	Jul 8, 2025
Updated Date	Jul 18, 2025
Component	GUI
Severity	Critical
Discovered	External
Attack Type	Unauthenticated
Known Exploited	Yes
CVSSv3 Score	9.6
Impact	Execute unauthorized code or commands
CVE ID
Download	CVRF CSAF STIX

Protect

Detect

Respond

Recover

Identify

Network Security

Cloud & Application Security

Endpoint Security

Security Operations

PSIRT

Unauthenticated SQL injection in GUI

Summary

Workaround

Acknowledgement

Timeline

Research Center

Services

Protect

Detect

Respond

Recover

Identify

Network Security

Cloud & Application Security

Endpoint Security

Security Operations

Threat Intelligence Center

Support Center

Resource Center

About

PSIRT

Unauthenticated SQL injection in GUI

Summary

Workaround

Acknowledgement

Timeline

Threat Intelligence
Center