CVE-2025-25257CRITICAL 9.8CISA KEVEPSS p99.9%

CVE-2025-25257Fortinet FortiWeb SQL Injection Vulnerability

Fortinet / FortiWeb

Description

Fortinet FortiWeb contains a SQL injection vulnerability that may allow an unauthenticated attacker to execute unauthorized SQL code or commands via crafted HTTP or HTTPs requests.

Scoring

CVSS 3.19.8 (CRITICAL)
VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS96.71% probability of exploitation · percentile 99.9% · 2026-06-18T12:00:27Z
Published2025-07-17
Last modified2026-02-20

CISA KEV entry

Added to KEV: 2025-07-18

Underlying weaknesses· 1

CWE-89

References

  1. https://fortiguard.fortinet.com/psirt/FG-IR-25-151
  2. https://packetstorm.news/files/id/210193/
  3. https://www.exploit-db.com/exploits/52473
  4. https://github.com/0xbigshaq/CVE-2025-25257
  5. https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-25257

1

TypeTargetConfidenceTier
WeaknessImproper Neutralization of Special Elements used in an SQL Command ('SQL Injection')cwe-890%live

(incoming)1

TypeTargetConfidenceTier
KEVEntryFortinet FortiWeb SQL Injection Vulnerabilitykev-cve-2025-252570%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
Fortinet FortiClient EMS SQL Injection Vulnerability
CVE
CVE-2026-39815
CVE
Fortinet FortiWeb OS Command Injection Vulnerability
CVE
CVE-2026-25088
CVE
CVE-2025-58692
CVE
Fortinet FortiOS Out-of-Bound Write Vulnerability
Sourced from NVD + CISA KEV + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.