Thursday , July 17 2025
FortiWeb

CVE-2025-25257
Fortinet Addresses Major SQL Injection Flaw in FortiWeb

infosecbulletin 1 week ago Alert, International, Vulnerabilities

Fortinet has issued a critical patch for a critical vulnerability in its FortiWeb product, a web application firewall commonly used in enterprises. Identified as CVE-2025-25257, this high-severity issue is an unauthenticated SQL injection flaw that lets remote attackers run unauthorized SQL commands through specially crafted HTTP or HTTPS requests.

“An improper neutralization of special elements used in an SQL command (‘SQL Injection’) vulnerability [CWE-89] in FortiWeb may allow an unauthenticated attacker to execute unauthorized SQL code or commands via crafted HTTP or HTTPs requests,” Fortinet stated in its advisory.

Node.js Flaws Expose Windows Apps to Path Traversal & HashDoS Attacks

By infosecbulletin / Wednesday , July 16 2025
The OpenJS Foundation has updated Node.js 24.x, 22.x, and 20.x to fix two serious vulnerabilities—CVE-2025-27210 and CVE-2025-27209—that could endanger Windows...
Read More
Node.js Flaws Expose Windows Apps to Path Traversal & HashDoS Attacks

Broadcom fixes multiple vulnerabilities in VMware ESXi, Workstation, and Fusion

By infosecbulletin / Wednesday , July 16 2025
Broadcom has urgently alerted about four serious vulnerabilities in VMware ESXi, Workstation, Fusion, and Tools, with CVSS scores up to...
Read More
Broadcom fixes multiple vulnerabilities in VMware ESXi, Workstation, and Fusion

Oracle Patched 309 Vulnerabilities with 145 Remotely Exploitable Flaw

By infosecbulletin / Wednesday , July 16 2025
Oracle's July 2025 Critical Patch Update was released fixing 309 security vulnerabilities across its products. The update impacts 34 key...
Read More
Oracle Patched 309 Vulnerabilities with 145 Remotely Exploitable Flaw

Microsoft Extends 365 Support Until 2028 with ESU Program

By infosecbulletin / Tuesday , July 15 2025
Microsoft has quietly revealed that it will stop adding new features to Office apps (Microsoft 365) for Windows 10 users...
Read More
Microsoft Extends 365 Support Until 2028 with ESU Program

Meta’s $100B AI Push: Gigawatt-Size Data Centers Spark Water Crisis

By infosecbulletin / Tuesday , July 15 2025
Zuckerberg announced that the company is constructing Gigawatt-Size Data Centers for its AI projects, with the first one launching next...
Read More
Meta’s $100B AI Push: Gigawatt-Size Data Centers Spark Water Crisis

4 vulns impact Gigabyte motherboards to UEFI malware bypassing Secure Boot

By infosecbulletin / Tuesday , July 15 2025
Four vulnerabilities in Gigabyte firmware were found by Binarly researchers and reported to Carnegie Mellon University's CERT Coordination Center. The...
Read More
4 vulns impact Gigabyte motherboards to UEFI malware bypassing Secure Boot

Wing FTP 2000+ Servers Exposed Online: Actively Exploiting

By infosecbulletin / Monday , July 14 2025
Security researchers warn that hackers are exploiting a critical vulnerability in Wing FTP Server to gain control of affected systems....
Read More
Wing FTP 2000+ Servers Exposed Online: Actively Exploiting

CVE-2025-7503 (CVSS 10)
Backdoor in popular IP Camera Allows Hackers Root Access

By infosecbulletin / Monday , July 14 2025
A severe vulnerability (CVE-2025-7503) has been found in an IP camera from Shenzhen Liandian Communication Technology LTD. With a CVSSv4...
Read More
CVE-2025-7503 (CVSS 10) Backdoor in popular IP Camera Allows Hackers Root Access

(CVE-2025-25257)
Patch Urgently! Exploits for pre-auth Fortinet FortiWeb RCE flaw released

By infosecbulletin / Saturday , July 12 2025
Proof of concept exploits for a serious SQLi vulnerability in Fortinet FortiWeb have been released, allowing pre-authenticated remote code execution...
Read More
(CVE-2025-25257) Patch Urgently! Exploits for pre-auth Fortinet FortiWeb RCE flaw released

GP launched appless ‘GP Shield’ to protect mobile for only 50 TK

By infosecbulletin / Friday , July 11 2025
Kaspersky's research says that in 2024, 33.3 million cyber attacks were launched worldwide against mobile devices. The aim of these...
Read More
GP launched appless ‘GP Shield’ to protect mobile for only 50 TK

The issue, with a CVSS score of 9.6, is critical as it doesn’t require authentication to exploit, making it an attractive target for attackers.

SQL injection

If not fixed, the vulnerability allows attackers to access sensitive data, change database content, or compromise backend systems.

For organizations that can’t upgrade right away, Fortinet suggests disabling the HTTP/HTTPS administrative interface as a temporary workaround:

“Disable HTTP/HTTPS administrative interface,” the advisory recommends, as this interface is the primary attack vector.

However, disabling the GUI interface may limit manageability and is not considered a permanent solution. Organizations are strongly urged to apply the vendor-supplied patches.

Fortinet is pleased to thank Kentaro Kawane from GMO Cybersecurity by Ierae for reporting this vulnerability under responsible disclosure.

Microsoft July 2025 Patch Tuesday: One zero-day, 137 flaws

Check Also

Microsoft Extends 365 Support Until 2028 with ESU Program

Microsoft has quietly revealed that it will stop adding new features to Office apps (Microsoft …

Leave a Reply

Your email address will not be published. Required fields are marked *

Mail: [email protected]
© Copyright 2025, All Rights Reserved InfoSecBulletin