Fortinet has patched a critical SQL injection vulnerability (CVE-2025-25257, CVSS 9.6) in its FortiWeb product that could allow unauthenticated attackers to execute arbitrary SQL commands via crafted HTTP/HTTPS requests. The flaw affects multiple FortiWeb versions from 7.0.0 to 7.6.3 and stems from unsanitized input in the get_fabric_user_by_token function tied to the Fabric Connector component. Exploitation could lead to remote code execution. Users are urged to upgrade to the latest fixed versions and temporarily disable HTTP/HTTPS administrative access if patches can't be applied immediately.