Telephone: 1-844-NETIZEN
Tel: 1-844-NETIZEN
Email: team (at) Netizen.net
slider

Netizen: Monday Security Brief (7/14/2024)

Posted on 14 Jul 2025 at https://www.Netizen.net/news Source Link: https://blog.netizen.net

Today’s Topics:

  • Fortinet Issues Critical Patch for SQL Injection Flaw in FortiWeb (CVE-2025-25257)
  • Critical eSIM Vulnerability in Kigen’s eUICC Cards Exposes Billions of IoT Devices to Security Risks
  • How can Netizen help?

Fortinet Issues Critical Patch for SQL Injection Flaw in FortiWeb (CVE-2025-25257)

Fortinet has released a security patch addressing a critical SQL injection vulnerability identified in its FortiWeb product. Tracked as CVE-2025-25257, the flaw poses a severe risk to affected versions of FortiWeb, potentially allowing unauthenticated attackers to execute arbitrary database commands on vulnerable instances. This issue carries a CVSS score of 9.6 out of 10, making it one of the most significant vulnerabilities discovered in recent times for the platform.

The vulnerability stems from improper neutralization of special elements used in SQL commands, known as SQL injection (CWE-89). An attacker can exploit this weakness by crafting specially designed HTTP or HTTPS requests to inject malicious SQL code into FortiWeb. If successfully executed, this attack could allow the attacker to execute unauthorized SQL commands on the system, leading to the potential compromise of the database.

The flaw specifically impacts several versions of FortiWeb, including:

  • FortiWeb 7.6.0 through 7.6.3 (upgrade to 7.6.4 or above)
  • FortiWeb 7.4.0 through 7.4.7 (upgrade to 7.4.8 or above)
  • FortiWeb 7.2.0 through 7.2.10 (upgrade to 7.2.11 or above)
  • FortiWeb 7.0.0 through 7.0.10 (upgrade to 7.0.11 or above)

The vulnerability is tied to a function named get_fabric_user_by_token, which is associated with FortiWeb’s Fabric Connector component. This function is called by another function, fabric_access_check, which is triggered from multiple API endpoints. In particular, the endpoints /api/fabric/device/status, /api/v[0-9]/fabric/widget/[a-z]+, and /api/v[0-9]/fabric/widget are directly affected.

The issue arises because attacker-controlled input, passed via a Bearer token Authorization header in specially crafted HTTP requests, is directly fed into an SQL query without proper sanitization. As a result, attackers can inject malicious SQL code, allowing them to manipulate or access sensitive data in the database.

Furthermore, the vulnerability can be extended into a remote code execution attack. This is possible by exploiting the fact that the query is run as the “mysql” user, allowing attackers to insert a SELECT ... INTO OUTFILE statement, which writes a malicious payload to a file in the operating system. The payload could then be executed via Python, escalating the attack.

Fortinet responded promptly to the discovery, issuing patches that replace the vulnerable query structure with prepared statements, mitigating the risk of SQL injection. This fix is a crucial improvement, as it directly addresses the core issue of inadequate input sanitization, which is the root cause of the flaw.

The vulnerability was discovered by Kentaro Kawane from GMO Cybersecurity, who had previously reported a set of critical flaws in Cisco’s Identity Services Engine (ISE). His findings have been acknowledged in Fortinet’s advisory, further underlining the importance of vigilance in identifying such risks in widely used cybersecurity tools.

As Fortinet has rolled out patches in versions 7.6.4, 7.4.8, 7.2.11, and 7.0.11, users are strongly advised to upgrade to these versions immediately to close the vulnerability. For those unable to apply the patches promptly, Fortinet recommends disabling the HTTP/HTTPS administrative interface as a temporary measure to mitigate the risk of exploitation.

This vulnerability is particularly concerning given the history of exploitation of Fortinet products by threat actors in the past. The critical nature of this flaw, combined with its potential for remote code execution, makes it imperative that users act swiftly to update their systems and protect against potential attacks.

Fortinet’s patch for CVE-2025-25257 addresses a severe vulnerability in its FortiWeb platform, one that could lead to unauthorized SQL command execution and potentially remote code execution. With a CVSS score of 9.6, this flaw poses a significant security risk to affected organizations, particularly those relying on FortiWeb for web application security. It is crucial that users upgrade to the latest versions or apply temporary mitigation measures to prevent exploitation.

Critical eSIM Vulnerability in Kigen’s eUICC Cards Exposes Billions of IoT Devices to Security Risks

A newly discovered vulnerability in eSIM technology has raised serious concerns about the security of billions of Internet of Things (IoT) devices, particularly those relying on Kigen’s eUICC (embedded Universal Integrated Circuit Cards) technology. The flaw, identified by Security Explorations, exposes devices to potential hacking attacks that could lead to unauthorized access, data theft, and malicious control over communications.

The eSIM, or embedded SIM, is a digital SIM card embedded directly into devices, enabling users to activate cellular plans remotely without the need for a physical SIM card. The eUICC chip facilitates this process by allowing users to change operator profiles and remotely manage SIM data. However, a critical vulnerability has been found in the Kigen eUICC card’s implementation of the GSMA TS.48 Generic Test Profile, versions 6.0 and earlier.

This vulnerability allows attackers to install non-verified, malicious applets on the eUICC, which could be used to tamper with operator profiles and extract sensitive information. The flaw is linked to an outdated version of the GSMA TS.48 standard, which is primarily used for radio compliance testing in eSIM products. Although GSMA released an updated version (v7.0) to mitigate this issue, previous versions remain widely used, exposing devices to security risks.

Exploitation of this vulnerability requires physical access to the targeted eUICC and the use of publicly known keys. Once the attacker gains access, they can install a malicious JavaCard applet that can bypass security measures. The vulnerability enables the attacker to extract the Kigen eUICC’s identity certificate, which could allow them to download arbitrary mobile network operator (MNO) profiles in cleartext. This could result in unauthorized access to operator secrets, profile tampering, and even complete control over the eSIM profiles without raising red flags.

Security Explorations, which reported the findings, further connected the vulnerability to previous research on Oracle’s Java Card technology. Earlier flaws, including a persistent backdoor issue in Gemalto SIM cards, also relied on Java Card technology, potentially creating a broader risk across various IoT devices.

Though executing such an attack may seem complex, it is within the capabilities of advanced nation-state threat actors. Exploiting this vulnerability could allow attackers to deploy a stealthy backdoor within an eSIM card, intercepting all communications and compromising the device’s integrity. With control over the eSIM profile, attackers could even block remote access for the operator, falsify the profile’s state, or monitor all activity without detection.

In some cases, the vulnerability could lead to a situation where the operator loses control of the profile, with no ability to disable or invalidate it. Such breaches would undermine the security and reliability of mobile network operators, making them more susceptible to ongoing attacks or data theft.

In response to the findings, Kigen has released a patch addressing the issue in the latest GSMA TS.48 version 7.0, which restricts the use of the vulnerable test profile. However, devices running earlier versions of the standard remain exposed. The security of billions of IoT devices, including vehicles and consumer electronics, is now under scrutiny as manufacturers work to implement the necessary updates.

While Kigen has made strides in addressing the vulnerability, the discovery raises broader concerns about the security of eSIM technology across the IoT ecosystem. Given the rapid proliferation of IoT devices and the growing reliance on eSIM technology for remote provisioning, it’s clear that comprehensive security measures need to be implemented to safeguard against similar vulnerabilities in the future.

How Can Netizen Help?

Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time. 

We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type. 

Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.

Netizen is a CMMI V2.0 Level 3, ISO 9001:2015, and ISO 27001:2013 (Information Security Management) certified company. We are a proud Service-Disabled Veteran-Owned Small Business that is recognized by the U.S. Department of Labor for hiring and retention of military veterans. 

News and Updates

Sign up to get the latest news and threat briefs:

Get in Touch

Telephone: 1-844-NETIZEN
Email: Team (at) Netizen.net
Office Locations:
Allentown, PA (Headquarters)
 Arlington, VA (DC Region)
 Charleston, SC (Southeast Region)

Connect With Us

    Facebook
    Twitter
    LinkedIn
    Instagram
    GitHub

Copyright © Netizen Corporation. All Rights Reserved.