Serial number:AV25-406
Date: July 8, 2025
Updated: July 18, 2025
On July 8, 2025, Fortinet published security advisories to address vulnerabilities in multiple products. Included were updates for the following:
- FortiAnalyzer – multiple versions
- FortiAnalyzer Cloud – multiple versions
- FortiIsolator – multiple versions
- FortiManager – multiple versions
- FortiManager Cloud – multiple versions
- FortiOS 7.6 – versions 7.6.0 to 7.6.1
- FortiOS 7.4 – versions 7.4.0 to 7.4.7
- FortiOS 7.2 – versions 7.2.0 to 7.2.11
- FortiOS 7.0 – versions 7.0.1 to 7.0.16
- FortiProxy 7.6 – versions 7.6.0 to 7.6.1
- FortiProxy 7.4 – versions 7.4.0 to 7.4.8
- FortiProxy 7.2 – versions 7.2.0 to 7.2.13
- FortiProxy 7.0 – versions 7.0.0 to 7.0.20
- FortiSandbox – multiple versions
- FortiVoice 6.4 – versions 6.4.0 to 6.4.10
- FortiVoice 7.0 – versions 7.0.0 to 7.0.6
- FortiVoice 7.2 – versions 7.2.0
- FortiWeb – multiple versions
Update 2
On July 18, 2025, CISA added CVE-2025-25257 to their Known Exploited Vulnerabilities (KEV) Catalog.
On July 18, 2025, Fortinet updated their advisory to indicate that this vulnerability has been exploited.
Update 1
CVE-2025-25257: Unauthenticated SQL injection in GUI affecting:
- FortiWeb 7.6 – versions 7.6.0 to 7.6.3
- FortiWeb 7.4 – versions 7.4.0 to 7.4.7
- FortiWeb 7.2 – versions 7.2.0 to 7.2.10
- FortiWeb 7.0 – versions 7.0.0 to 7.0.10
- Fortinet PSIRT – FG-IR-25-151
The Cyber Centre encourages users and administrators to review the provided web link and apply the necessary updates.