Fortinet security advisory (AV25-406) - Update 2

Serial number: AV25-406
Date: July 8, 2025

Updated: July 18, 2025

On July 8, 2025, Fortinet published security advisories to address vulnerabilities in multiple products. Included were updates for the following:

• FortiAnalyzer – multiple versions
• FortiAnalyzer Cloud – multiple versions
• FortiIsolator – multiple versions
• FortiManager – multiple versions
• FortiManager Cloud – multiple versions
• FortiOS 7.6 – versions 7.6.0 to 7.6.1
• FortiOS 7.4 – versions 7.4.0 to 7.4.7
• FortiOS 7.2 – versions 7.2.0 to 7.2.11
• FortiOS 7.0 – versions 7.0.1 to 7.0.16
• FortiProxy 7.6 – versions 7.6.0 to 7.6.1
• FortiProxy 7.4 – versions 7.4.0 to 7.4.8
• FortiProxy 7.2 – versions 7.2.0 to 7.2.13
• FortiProxy 7.0 – versions 7.0.0 to 7.0.20
• FortiSandbox – multiple versions
• FortiVoice 6.4 – versions 6.4.0 to 6.4.10
• FortiVoice 7.0 – versions 7.0.0 to 7.0.6
• FortiVoice 7.2 – versions 7.2.0
• FortiWeb – multiple versions

Update 2

On July 18, 2025, CISA added CVE-2025-25257 to their Known Exploited Vulnerabilities (KEV) Catalog.

On July 18, 2025, Fortinet updated their advisory to indicate that this vulnerability VulnerabilityA flaw or weakness in the design or implementation of an information system or its environment that could be exploited to adversely affect an organization's assets or operations. has been exploited.

• Known Exploited Vulnerabilities Catalog
• Fortinet PSIRT Advisories

Update 1

CVE-2025-25257: Unauthenticated SQL injection in GUI affecting:

• FortiWeb 7.6 – versions 7.6.0 to 7.6.3
• FortiWeb 7.4 – versions 7.4.0 to 7.4.7
• FortiWeb 7.2 – versions 7.2.0 to 7.2.10
• FortiWeb 7.0 – versions 7.0.0 to 7.0.10

• Fortinet PSIRT – FG-IR-25-151
   

  The Cyber Centre encourages users and administrators to review the provided web link and apply the necessary updates.

  • Fortinet PSIRT Advisories