The Digital Security Authority (DSA) wants to bring to your attention a vulnerability affecting FortiWeb.
Technical Details
An improper neutralization of special elements used in an SQL command ('SQL Injection') vulnerability [CWE-89] in FortiWeb may allow an unauthenticated attacker to execute unauthorized SQL code or commands via crafted HTTP or HTTPs requests.
The attack can be extended further to remote code execution by embedding a SELECT ... INTO OUTFILE statement to write a malicious payload to a file in the underlying operating system by taking advantage of the fact that the query is run as the "mysql" user, and execute it via Python.
Recommendations
The Digital Security Authority recommends upgrading FortiWeb as per their version:
| Version | Affected | Solution |
| FortiWeb 7.6 | 7.6.0 through 7.6.3 | Upgrade to 7.6.4 or above |
| FortiWeb 7.4 | 7.4.0 through 7.4.7 | Upgrade to 7.4.8 or above |
| FortiWeb 7.2 | 7.2.0 through 7.2.10 | Upgrade to 7.2.11 or above |
| FortiWeb 7.0 | 7.0.0 through 7.0.10 | Upgrade to 7.0.11 or above |
References
The information presented in this report is based on available data up to the 13th of July 2025.