关联漏洞
标题:Fortinet FortiWeb 安全漏洞 (CVE-2025-64446)描述:Fortinet FortiWeb是美国飞塔(Fortinet)公司的一款Web应用层防火墙,它能够阻断如跨站点脚本、SQL注入、Cookie中毒、schema中毒等攻击的威胁,保证Web应用程序的安全性并保护敏感的数据库内容。 Fortinet FortiWeb 8.0.0版本至8.0.1版本、7.6.0版本至7.6.4版本、7.4.0版本至7.4.9版本、7.2.0版本至7.2.11版本和7.0.0版本至7.0.11版本存在安全漏洞,该漏洞源于相对路径遍历,可能导致执行管理命令。
描述
CVE-2025-64446
介绍
# 🚨 **FortiWeb Critical Path Traversal (CVE-2025-64446): Unauthenticated RCE via Admin Account Creation** 🔓💥
---
## ✦ 1. Overview
A newly disclosed **0-day vulnerability** in FortiWeb WAF appliances has been **actively exploited in the wild**.
Attackers can abuse an authentication-bypass flaw to **create unauthorized admin accounts**, leading to full device compromise.
---
## ✦ 2. Severity
<img width="811" height="527" alt="CVF1" src="https://github.com/user-attachments/assets/f2c8233c-3b85-4de0-b41d-822d2d54d602" />
**Critical — Full Administrative Takeover**
* Complete control of the WAF
* Ability to disable protections
* Possible lateral movement
* Threat to downstream applications and internal networks
---
## ✦ 3. Affected Versions
Likely impacted: **FortiWeb versions prior to 8.0.2**
Patched: **8.0.2 and newer**
(*Patch was released quietly; admins may not realize exposure.*)
---
## ✦ 4. Observable Indicators of Compromise (IOCs)
### ✦ Suspicious Admin Activity
* Unknown admin accounts
* Accounts created at unusual times
* Admin accounts with odd naming patterns
### ✦ Unusual Requests
* Spikes in **POST requests** targeting administrative endpoints
* Attempts to hit **/cgi-bin/** or hidden API paths
* Requests lacking valid session tokens
### ✦ Configuration Irregularities
* Disabled security policies
* Modified certificates or WAF rules
* Log settings altered or reduced
### ✦ Log & System Anomalies
* Successful logins following repeated failures
* Access from unfamiliar IPs
* Activity during low-traffic hours
---
## ✦ 5. Immediate Protection Steps
### ✦ Patch Immediately
Upgrade to **FortiWeb 8.0.2+** without delay.
### ✦ Lock Down Management Access
* Remove public internet exposure
* Allow only trusted IP ranges
* Prefer admin access **through VPN**
* Enable MFA (if available)
### ✦ Audit the Device
* Review all admin accounts
* Check logs for IOC patterns
* Compare current config against backup
### ✦ If Compromise is Suspected
* Export logs before reboot
* Isolate the FortiWeb device
* Rebuild with clean firmware
* Rotate all connected system credentials
---
## ✦ 6. Recommended Hardening (Post-Patch)
### ✦ Network Layer
* Place management behind VPN or jump-host
* Enforce IP allow-listing
* Disable HTTP management if HTTPS is available
### ✦ WAF Policy Hygiene
* Enable logging at high verbosity
* Enforce strict rulesets for administrative paths
* Monitor for anomalies with SIEM or XDR
### ✦ Continuous Monitoring
* Track admin account creation events
* Monitor configuration diffs daily
* Watch for unusual traffic to management endpoints
---
## ✦ 7. Optional Add-Ons
I can also produce — aesthetically formatted:
✔ A one-page PDF briefing
✔ A visual incident-response flowchart
✔ A FortiWeb hardening checklist
✔ A SOC playbook for monitoring this vulnerability
✔ A color-coded IOC cheat sheet
---
# ✦ FortiWeb 0-day — Tables & Schemas
This document contains ready-to-use **tables, SQL CREATE statements, and JSON schema** for tracking FortiWeb-related telemetry, IOCs, patching, and incident response. Designed for ingestion into a SIEM, CMDB, or incident-tracker.
## Exploitation behavior:
When testing the public exploit against a target FortiWeb device, the target application’s differing responses between versions 8.0.1 and 8.0.2 are included below.
Against version 8.0.1, the application returns the following response for a successful exploitation attempt, in which a new malicious local administrator account “hax0r” was created:
```python
HTTP/1.1 200 OK
Date: Thu, 13 Nov 2025 17:57:28 GMT
Cache-Control: no-cache, no-store, must-revalidate
Pragma: no-cache
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
X-Frame-Options: SAMEORIGIN
X-XSS-Protection: 1; mode=block
Content-Security-Policy: script-src 'self'; default-src 'self'; style-src 'self' 'unsafe-inline'; font-src 'self'; img-src 'self' data:; connect-src 'self'; frame-ancestors 'self'; object-src 'none'; base-uri 'self'; upgrade-insecure-requests; block-all-mixed-content;
X-Content-Type-Options: nosniff
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: application/json
Content-Length: 1202
{ "results": { "can_view": 0, "q_ref": 0, "can_clone": 1, "q_type": 1, "name": "hax0r", "access-profile": "prof_admin", "access-profile_val": "1008", "trusthostv4": "0.0.0.0\/0 ", "trusthostv6": "::\/0 ", "last-name": "", "first-name": "", "email-address": "", "phone-number": "", "mobile-number": "", "hidden": 0, "domains": "root ", "gui-global-menu-favorites": "", "gui-vdom-menu-favorites": "", "sz_dashboard": 8, "sz_gui-dashboard": 7, "type": "local-user", "type_val": "0", "admin-usergrp": "", "admin-usergrp_val": "0", "password": "ENC XXXX", "wildcard": "disable", "wildcard_val": "0", "accprofile-override": "disable", "accprofile-override_val": "0", "fortiai": "disable", "fortiai_val": "0", "sshkey": "", "passwd-set-time": 1763056648, "history-password-pos": 1, "history-password0": "ENC XXXX", "history-password1": "ENC XXXX", "history-password2": "ENC XXXX", "history-password3": "ENC XXXX", "history-password4": "ENC XXXX", "history-password5": "ENC XXXX", "history-password6": "ENC XXXX", "history-password7": "ENC XXXX", "history-password8": "ENC XXXX", "history-password9": "ENC XXXX", "force-password-change": "disable", "force-password-change_val": "0", "feature-info-ver": "" } }
```
```python
┌──(kali㉿kali)-[~]
└─$ sudo python3 CVE-2025-XXXXX.py 192.168.0.0
[sudo] password for kali:
██████╗ ██╗ █████╗ ██████╗ ██╗ ██╗ █████╗ ███████╗ ██╗ ██╗
██╔══██╗ ██║ ██╔══██╗ ██╔════╝ ██║ ██╔╝ ██╔══██╗ ██╔════╝ ██║ ██║
██████╔╝ ██║ ███████║ ██║ █████╔╝ ███████║ ███████╗ ███████║
██╔══██╗ ██║ ██╔══██║ ██║ ██╔═██╗ ██╔══██║ ╚════██║ ██╔══██║
██████╔╝ ███████╗ ██║ ██║ ╚██████╗ ██║ ██╗ ██║ ██║ ███████║ ██║ ██║
╚═════╝ ╚══════╝ ╚═╝ ╚═╝ ╚═════╝ ╚═╝ ╚═╝ ╚═╝ ╚═╝ ╚══════╝ ╚═╝ ╚═╝
(*) Fortinet FortiWeb 0-Day Exploited to Hijack Admin Accounts !!!
Github : "B1ack4sh"==> TH3 M4TR1X 5L4Y3R !!!
CVEs: [CVE-2025-XXXXX]
[+] Exploit sent successfully.
[*] Check for the new user [ 5h63fnpm ] with password [ 5h63fnpm ]
```
---
## 1) `devices` — Inventory of FortiWeb appliances
| Column | Type | Description | Example |
| ------------ | ----------------------: | ----------------------------------------------- | ---------------------------------- |
| device_id | VARCHAR(64) PRIMARY KEY | Unique device identifier (UUID) | `fw-7d3b2a1f` |
| hostname | VARCHAR(128) | Hostname of the appliance | `fortiweb-prod-01` |
| ip_address | VARCHAR(45) | IPv4 or IPv6 management IP | `198.51.100.12` |
| fw_version | VARCHAR(32) | Firmware version installed | `7.2.5` |
| last_seen | TIMESTAMP | Last heartbeat time | `2025-11-14T09:32:00Z` |
| mgmt_exposed | BOOLEAN | Whether management interface is internet-facing | `true` |
| notes | TEXT | Free-form notes | `Placed in DMZ; scheduled upgrade` |
### SQL
```sql
CREATE TABLE devices (
device_id VARCHAR(64) PRIMARY KEY,
hostname VARCHAR(128) NOT NULL,
ip_address VARCHAR(45) NOT NULL,
fw_version VARCHAR(32) NOT NULL,
last_seen TIMESTAMP,
mgmt_exposed BOOLEAN DEFAULT FALSE,
notes TEXT
);
```
### JSON Schema
```json
{
"$schema": "http://json-schema.org/draft-07/schema#",
"title": "devices",
"type": "object",
"properties": {
"device_id": {"type":"string"},
"hostname": {"type":"string"},
"ip_address": {"type":"string"},
"fw_version": {"type":"string"},
"last_seen": {"type":"string","format":"date-time"},
"mgmt_exposed": {"type":"boolean"},
"notes": {"type":"string"}
},
"required":["device_id","hostname","ip_address","fw_version"]
}
```
---
## 2) `admin_accounts` — Administrative accounts on FortiWeb devices
| Column | Type | Description | Example |
| ---------- | ----------------------: | ---------------------------------- | ----------------------------- |
| account_id | VARCHAR(64) PRIMARY KEY | Unique account identifier | `acct-9f3e` |
| device_id | VARCHAR(64) | Foreign key -> devices.device_id | `fw-7d3b2a1f` |
| username | VARCHAR(64) | Admin username | `webadmin` |
| created_at | TIMESTAMP | Creation timestamp | `2025-11-12T02:11:00Z` |
| created_by | VARCHAR(128) | Creator (if known) | `local` or `syslog:10.0.0.5` |
| privilege | VARCHAR(32) | Role/privilege (e.g., super-admin) | `super-admin` |
| source_ip | VARCHAR(45) | IP that created the account | `203.0.113.45` |
| notes | TEXT | Any detective notes | `unknown creator; suspicious` |
### SQL
```sql
CREATE TABLE admin_accounts (
account_id VARCHAR(64) PRIMARY KEY,
device_id VARCHAR(64) NOT NULL,
username VARCHAR(64) NOT NULL,
created_at TIMESTAMP,
created_by VARCHAR(128),
privilege VARCHAR(32),
source_ip VARCHAR(45),
notes TEXT,
FOREIGN KEY (device_id) REFERENCES devices(device_id)
);
```
### JSON Schema
```json
{
"title":"admin_accounts",
"type":"object",
"properties":{
"account_id":{"type":"string"},
"device_id":{"type":"string"},
"username":{"type":"string"},
"created_at":{"type":"string","format":"date-time"},
"created_by":{"type":"string"},
"privilege":{"type":"string"},
"source_ip":{"type":"string"},
"notes":{"type":"string"}
},
"required":["account_id","device_id","username"]
}
```
---
## 3) `web_requests` — Management/API request logs (for detecting suspicious POSTs)
| Column | Type | Description | Example |
| ------------- | ----------------------: | --------------------------- | --------------------------- |
| req_id | VARCHAR(64) PRIMARY KEY | Unique request id | `req-0001` |
| device_id | VARCHAR(64) | Device the request targeted | `fw-7d3b2a1f` |
| timestamp | TIMESTAMP | When request occurred | `2025-11-14T03:20:11Z` |
| src_ip | VARCHAR(45) | Source IP of request | `198.51.100.77` |
| method | VARCHAR(8) | HTTP method | `POST` |
| uri | VARCHAR(256) | Request URI | `/cgi-bin/fwbcgi?something` |
| user_agent | VARCHAR(256) | UA string | `curl/7.76.1` |
| status_code | INTEGER | HTTP response code | `200` |
| session_token | VARCHAR(256) | Session token (if any) | `-` |
| payload_hash | VARCHAR(128) | Hash of POST body for dedup | `sha256:...` |
### SQL
```sql
CREATE TABLE web_requests (
req_id VARCHAR(64) PRIMARY KEY,
device_id VARCHAR(64) NOT NULL,
timestamp TIMESTAMP NOT NULL,
src_ip VARCHAR(45),
method VARCHAR(8),
uri VARCHAR(256),
user_agent VARCHAR(256),
status_code INTEGER,
session_token VARCHAR(256),
payload_hash VARCHAR(128),
FOREIGN KEY (device_id) REFERENCES devices(device_id)
);
```
### JSON Schema
```json
{
"title":"web_requests",
"type":"object",
"properties":{
"req_id":{"type":"string"},
"device_id":{"type":"string"},
"timestamp":{"type":"string","format":"date-time"},
"src_ip":{"type":"string"},
"method":{"type":"string"},
"uri":{"type":"string"},
"user_agent":{"type":"string"},
"status_code":{"type":"integer"},
"session_token":{"type":"string"},
"payload_hash":{"type":"string"}
},
"required":["req_id","device_id","timestamp","uri"]
}
```
---
## 4) `iocs` — Indicator of Compromise registry
| Column | Type | Description | Example |
| ---------- | ----------------------: | ------------------------------- | ------------------------------ |
| ioc_id | VARCHAR(64) PRIMARY KEY | Unique IOC id | `ioc-20251114-01` |
| type | VARCHAR(32) | `ip`, `uri`, `username`, `hash` | `uri` |
| value | VARCHAR(512) | IOC value | `/cgi-bin/fwbcgi` |
| first_seen | TIMESTAMP | First observed | `2025-11-12T22:01:00Z` |
| confidence | INTEGER | 0-100 score | `85` |
| source | VARCHAR(128) | Source of IOC | `bleepingcomputer` |
| notes | TEXT | Context or remediation notes | `linked to admin creation PoC` |
### SQL
```sql
CREATE TABLE iocs (
ioc_id VARCHAR(64) PRIMARY KEY,
type VARCHAR(32),
value VARCHAR(512),
first_seen TIMESTAMP,
confidence INTEGER,
source VARCHAR(128),
notes TEXT
);
```
### JSON Schema
```json
{
"title":"iocs",
"type":"object",
"properties":{
"ioc_id":{"type":"string"},
"type":{"type":"string"},
"value":{"type":"string"},
"first_seen":{"type":"string","format":"date-time"},
"confidence":{"type":"integer"},
"source":{"type":"string"},
"notes":{"type":"string"}
},
"required":["ioc_id","type","value"]
}
```
---
## 5) `patch_inventory` — Track patching status and actions
| Column | Type | Description | Example |
| -------------- | ----------------------: | ---------------------------------- | ----------------------------------- |
| patch_id | VARCHAR(64) PRIMARY KEY | Unique patch record id | `patch-20251114-01` |
| device_id | VARCHAR(64) | Device patched | `fw-7d3b2a1f` |
| target_version | VARCHAR(32) | Version applied | `8.0.2` |
| applied_at | TIMESTAMP | When patch was applied | `2025-11-13T11:05:00Z` |
| applied_by | VARCHAR(128) | Operator | `ops@company.com` |
| result | VARCHAR(32) | `success`, `failed`, `rolled-back` | `success` |
| notes | TEXT | Rollback or issue notes | `Reboot required; config validated` |
### SQL
```sql
CREATE TABLE patch_inventory (
patch_id VARCHAR(64) PRIMARY KEY,
device_id VARCHAR(64) NOT NULL,
target_version VARCHAR(32) NOT NULL,
applied_at TIMESTAMP,
applied_by VARCHAR(128),
result VARCHAR(32),
notes TEXT,
FOREIGN KEY (device_id) REFERENCES devices(device_id)
);
```
### JSON Schema
```json
{
"title":"patch_inventory",
"type":"object",
"properties":{
"patch_id":{"type":"string"},
"device_id":{"type":"string"},
"target_version":{"type":"string"},
"applied_at":{"type":"string","format":"date-time"},
"applied_by":{"type":"string"},
"result":{"type":"string"},
"notes":{"type":"string"}
},
"required":["patch_id","device_id","target_version"]
}
```
---
## 6) `incidents` — Incident tracking for suspected compromises
| Column | Type | Description | Example |
| ------------- | ----------------------: | -------------------------------- | -------------------------------------- |
| incident_id | VARCHAR(64) PRIMARY KEY | Unique incident id | `inc-20251114-001` |
| device_id | VARCHAR(64) | Affected device | `fw-7d3b2a1f` |
| detected_at | TIMESTAMP | Detection time | `2025-11-14T04:12:00Z` |
| severity | VARCHAR(16) | `low`,`medium`,`high`,`critical` | `critical` |
| status | VARCHAR(16) | `open`,`triaged`,`closed` | `open` |
| summary | TEXT | Short description | `Unauthorized admin creation detected` |
| actions_taken | TEXT | Steps performed | `isolated device; exported logs` |
| assigned_to | VARCHAR(128) | Owner | `secops-team` |
### SQL
```sql
CREATE TABLE incidents (
incident_id VARCHAR(64) PRIMARY KEY,
device_id VARCHAR(64),
detected_at TIMESTAMP,
severity VARCHAR(16),
status VARCHAR(16),
summary TEXT,
actions_taken TEXT,
assigned_to VARCHAR(128),
FOREIGN KEY (device_id) REFERENCES devices(device_id)
);
```
### JSON Schema
```json
{
"title":"incidents",
"type":"object",
"properties":{
"incident_id":{"type":"string"},
"device_id":{"type":"string"},
"detected_at":{"type":"string","format":"date-time"},
"severity":{"type":"string"},
"status":{"type":"string"},
"summary":{"type":"string"},
"actions_taken":{"type":"string"},
"assigned_to":{"type":"string"}
},
"required":["incident_id","device_id","detected_at","severity"]
}
```
---
## 7) `hardening_controls` — Recommended controls checklist & status
| Column | Type | Description | Example |
| -------------- | ----------------------: | ---------------------------------------- | ----------------------------------- |
| control_id | VARCHAR(64) PRIMARY KEY | Unique control id | `ctrl-01` |
| control_name | VARCHAR(128) | Short name | `Mgmt behind VPN` |
| description | TEXT | What the control enforces | `Restrict admin access to VPN only` |
| device_id | VARCHAR(64) | Optional: device-specific | `fw-7d3b2a1f` |
| status | VARCHAR(32) | `implemented`,`planned`,`not-applicable` | `implemented` |
| implemented_at | TIMESTAMP | When implemented | `2025-11-13T14:00:00Z` |
| owner | VARCHAR(128) | Who is responsible | `netops` |
### SQL
```sql
CREATE TABLE hardening_controls (
control_id VARCHAR(64) PRIMARY KEY,
control_name VARCHAR(128),
description TEXT,
device_id VARCHAR(64),
status VARCHAR(32),
implemented_at TIMESTAMP,
owner VARCHAR(128),
FOREIGN KEY (device_id) REFERENCES devices(device_id)
);
```
### JSON Schema
```json
{
"title":"hardening_controls",
"type":"object",
"properties":{
"control_id":{"type":"string"},
"control_name":{"type":"string"},
"description":{"type":"string"},
"device_id":{"type":"string"},
"status":{"type":"string"},
"implemented_at":{"type":"string","format":"date-time"},
"owner":{"type":"string"}
},
"required":["control_id","control_name","status"]
}
```
---
## Quick ingest tips
* Use `web_requests` + SIEM rules to alert on:
* `method = 'POST'` AND `uri LIKE '%/cgi-bin/%'`
* sudden creation of admin_accounts for devices where `mgmt_exposed = true`
* Map `iocs` into firewall deny lists and EDR feeds where appropriate.
* Preserve logs (syslog + appliance config backups) before any remediation or reboot.
---
## ⚠️ Disclaimer
This information is provided only for defensive and educational cybersecurity purposes. It must not be used to develop, test, or perform unauthorized attacks. All actions should comply with applicable laws and organizational policies.
文件快照
[4.0K] /data/pocs/5733a33c444afb7d83d6f0545278fcb383b631a1
└── [ 21K] README.md
1 directory, 1 file
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。