Unauthenticated SQL injection in GUI Fortinet PSIRT Advisories Fortinet PSIRT Contact: Website: https://fortiguard.fortinet.com/faq/psirt-contact FG-IR-25-151 Final 1 1 2025-07-08T00:00:00 Current version 2025-07-08T00:00:00 2025-07-18T00:00:00 An improper neutralization of special elements used in an SQL command ('SQL Injection') vulnerability [CWE-89] in FortiWeb may allow an unauthenticated attacker to execute unauthorized SQL code or commands via crafted HTTP or HTTPs requests.Fortinet has observed this to be exploited in the wild on FortiWeb. None Execute unauthorized code or commands None Fortinet is pleased to thank Kentaro Kawane from GMO Cybersecurity by Ierae for reporting this vulnerability under responsible disclosure. FortiWeb 7.6.3 FortiWeb 7.6.2 FortiWeb 7.6.1 FortiWeb 7.6.0 FortiWeb 7.4.7 FortiWeb 7.4.6 FortiWeb 7.4.5 FortiWeb 7.4.4 FortiWeb 7.4.3 FortiWeb 7.4.2 FortiWeb 7.4.1 FortiWeb 7.4.0 FortiWeb 7.2.10 FortiWeb 7.2.9 FortiWeb 7.2.8 FortiWeb 7.2.7 FortiWeb 7.2.6 FortiWeb 7.2.5 FortiWeb 7.2.4 FortiWeb 7.2.3 FortiWeb 7.2.2 FortiWeb 7.2.1 FortiWeb 7.2.0 FortiWeb 7.0.10 FortiWeb 7.0.9 FortiWeb 7.0.8 FortiWeb 7.0.7 FortiWeb 7.0.6 FortiWeb 7.0.5 FortiWeb 7.0.4 FortiWeb 7.0.3 FortiWeb 7.0.2 FortiWeb 7.0.1 FortiWeb 7.0.0 CVE-2025-25257 FortiWeb-7.6.3 FortiWeb-7.6.2 FortiWeb-7.6.1 FortiWeb-7.6.0 FortiWeb-7.4.7 FortiWeb-7.4.6 FortiWeb-7.4.5 FortiWeb-7.4.4 FortiWeb-7.4.3 FortiWeb-7.4.2 FortiWeb-7.4.1 FortiWeb-7.4.0 FortiWeb-7.2.10 FortiWeb-7.2.9 FortiWeb-7.2.8 FortiWeb-7.2.7 FortiWeb-7.2.6 FortiWeb-7.2.5 FortiWeb-7.2.4 FortiWeb-7.2.3 FortiWeb-7.2.2 FortiWeb-7.2.1 FortiWeb-7.2.0 FortiWeb-7.0.10 FortiWeb-7.0.9 FortiWeb-7.0.8 FortiWeb-7.0.7 FortiWeb-7.0.6 FortiWeb-7.0.5 FortiWeb-7.0.4 FortiWeb-7.0.3 FortiWeb-7.0.2 FortiWeb-7.0.1 FortiWeb-7.0.0 9.6 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:F/RL:X/RC:C https://fortiguard.fortinet.com/psirt/FG-IR-25-151 Unauthenticated SQL injection in GUI Reference>