CVE-2025-25257

CRITICAL

CVSS v3

9.8

CRITICAL

EPSS Score

22.1%

exploit probability

CISA KEV

No

known exploited

Exploitation

SSVC status

Description

An improper neutralization of special elements used in an SQL command ('SQL Injection') vulnerability [CWE-89] vulnerability in Fortinet FortiWeb 7.6.0 through 7.6.3, FortiWeb 7.4.0 through 7.4.7, FortiWeb 7.2.0 through 7.2.10, FortiWeb 7.0.0 through 7.0.10 allows an unauthenticated attacker to execute unauthorized SQL code or commands via crafted HTTP or HTTPs requests.

Technical Details

CVSS v3 Vector
3.1
Published
7/17/2025
Last Modified
2/20/2026

Frequently Asked Questions

What is CVE-2025-25257?

An improper neutralization of special elements used in an SQL command ('SQL Injection') vulnerability [CWE-89] vulnerability in Fortinet FortiWeb 7.6.0 through 7.6.3, FortiWeb 7.4.0 through 7.4.7, FortiWeb 7.2.0 through 7.2.10, FortiWeb 7.0.0 through 7.0.10 allows an unauthenticated attacker to execute unauthorized SQL code or commands via crafted HTTP or HTTPs requests.

Is CVE-2025-25257 actively exploited?

Active exploitation of CVE-2025-25257 has not been confirmed. The EPSS score is 22.1%, indicating the estimated probability of exploitation in the next 30 days.

What is the CVSS score for CVE-2025-25257?

CVE-2025-25257 has a CVSS v3 base score of 9.8 (CRITICAL severity), with vector string 3.1.

Is CVE-2025-25257 affecting your environment?

Use isMalicious to check if any of your IPs or domains are associated with this vulnerability's IOCs.

Check an IPSearch CVEs
Back to CVE Database