Hub Appsec rule

More info

vpatch-CVE-2025-25257 AppSec Rule

« vpatch-CVE-2025-25257 »
v0.1 by crowdsecurity
AppSec rule

Fortinet FortiWeb Fabric Connector - Pre-Authenticated SQL Injection (CVE-2025-25257)

Installation

cscli appsec-rules install crowdsecurity/vpatch-CVE-2025-25257

YAML Configuration

1name: crowdsecurity/vpatch-CVE-2025-25257
2description: "Fortinet FortiWeb Fabric Connector - Pre-Authenticated SQL Injection (CVE-2025-25257)"
3#https://labs.watchtowr.com/pre-auth-sql-injection-to-rce-fortinet-fortiweb-fabric-connector-cve-2025-25257/
4rules:
5  - and:
6      - zones:
7          - METHOD
8        match:
9          type: equals
10          value: GET
11      - zones:
12          - URI
13        transform:
14          - lowercase
15        match:
16          type: regex
17          value: /api/(fabric/device/status|v[0-9]/fabric/widget)
18      - zones:
19          - HEADERS
20        variables:
21          - Authorization
22        match:
23          type: contains
24          value: "'"
25
26labels:
27  type: exploit
28  service: http
29  confidence: 3
30  spoofable: 0
31  behavior: "http:exploit"
32  label: "Fortinet FortiWeb Fabric Connector - Pre-Authenticated SQL Injection"
33  classification:
34    - cve.CVE-2025-25257
35    - attack.T1190
36    - cwe.CWE-89
37

Hub Appsec rule

« vpatch-CVE-2025-25257 »v0.1 by crowdsecurityAppSec rule

« vpatch-CVE-2025-25257 »
v0.1 by crowdsecurity
AppSec rule