A critical security vulnerability in Fortinet’s FortiWeb Fabric Connector has been discovered and exploited, allowing attackers to execute remote code on affected systems without authentication. Watchtower researchers analyzing the vulnerability discovered that the flaw resides in the get_fabric_user_by_token function, which processes authentication tokens from external Fortinet devices attempting to integrate with FortiWeb APIs. The attack chain involves injecting payloads that store malicious Python code in the database, then using UNION SELECT statements with INTO OUTFILE to write the code to Python’s site-packages directory. Fortinet has acknowledged the vulnerability and provided patches addressing the underlying SQL injection by implementing proper parameterized queries using prepared statements instead of string concatenation. The vulnerability stems from an unauthenticated SQL injection flaw in the FortiWeb Fabric Connector’s authentication mechanism. Researchers demonstrated that attackers can bypass authentication entirely using simple payloads like AAAAAA'or'1'='1, which causes the SQL query to return successful authentication for any request. This connector serves as integration middleware between FortiWeb web application firewalls and other Fortinet ecosystem products, enabling dynamic policy updates based on real-time infrastructure changes and threat intelligence. The combination of unauthenticated access, root-level MySQL execution, and accessible code execution paths created a perfect storm for critical system compromise. The vulnerable code uses a simple snprintf function to build queries like select id from fabric_user.user_table where token='%s', where the token value comes directly from HTTP Authorization headers.
This Cyber News was published on cybersecuritynews.com. Publication date: Fri, 11 Jul 2025 12:35:15 +0000