## https://sploitus.com/exploit?id=2E8EABA7-B730-5DD7-B3F7-CC2919F03958
# CVE-2025-64446 - FortiWeb Authentication Bypass Exploit
## Description
This script exploits a relative path traversal vulnerability in Fortinet FortiWeb versions 8.0.0 through 8.0.1, 7.6.0 through 7.6.4, 7.4.0 through 7.4.9, 7.2.0 through 7.2.11, and 7.0.0 through 7.0.11. This vulnerability allows an attacker to potentially bypass authentication and create administrative accounts, leading to full system compromise. The vulnerability stems from improper handling of path traversal sequences in HTTP/HTTPS requests, enabling arbitrary command execution via crafted requests.
**Vulnerability Details:**
* **Type:** Relative Path Traversal, Authentication Bypass
* **Severity:** Critical (CVSS 3.1 Base Score: 9.8 - per Fortinet)
* **CVSS Vector:** CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
* **Affected Versions:**
* FortiWeb 8.0.0 - 8.0.1
* FortiWeb 7.6.0 - 7.6.4
* FortiWeb 7.4.0 - 7.4.9
* FortiWeb 7.2.0 - 7.2.11
* FortiWeb 7.0.0 - 7.0.11
## Usage
1. **Clone the repository (or download the script):**
```bash
git clone https://github.com/lincemorado97/CVE-2025-64446
cd CVE-2025-64446
```
2. **Install Dependencies:**
```bash
pip install -r requirements.txt
```
3. **Run the Script:**
```bash
python exploit.py [-u ] [-p ]
```
* ``: The IP address or hostname of the vulnerable FortiWeb appliance. This is a *required* argument.
* `-u ` (optional): Specify a custom username for the created administrative account. If not provided, a UUID will be used.
* `-p ` (optional): Specify a custom password for the created administrative account. If not provided, the username will be used as the password.
**Example:**
```bash
python exploit.py 192.168.1.100 -u admin123 -p password456
```
This will attempt to create an administrative account with the username "admin123" and password "password456" on the target appliance at 192.168.1.100.
If no username and password are specified:
```bash
python exploit.py 192.168.1.100
```
The script will generate a random UUID for the username and use it as the password.
4. **Verification:**
After running the script, check the FortiWeb appliance for the newly created administrative account. Attempt to log in with the specified (or automatically generated) username and password. Successful login confirms successful exploitation.


## References
* [NVD](https://nvd.nist.gov/) (Search for Fortinet FortiWeb vulnerabilities)
* [Fortinet Security Advisories](https://www.fortinet.com/security-advisories)
This README provides a comprehensive guide to using the provided script for ethical security testing of FortiWeb appliances. Remember to always act responsibly and with proper authorization.