|
2435 | 2435 | "https" |
2436 | 2436 | ], |
2437 | 2437 | "targets": null, |
2438 | | - "mod_time": "2025-11-14 17:06:30 +0000", |
| 2438 | + "mod_time": "2025-11-21 12:22:25 +0000", |
2439 | 2439 | "path": "/modules/auxiliary/admin/http/fortinet_fortiweb_create_admin.rb", |
2440 | 2440 | "is_install_path": true, |
2441 | 2441 | "ref_name": "admin/http/fortinet_fortiweb_create_admin", |
|
2449 | 2449 | "Reliability": [], |
2450 | 2450 | "SideEffects": [ |
2451 | 2451 | "ioc-in-logs" |
| 2452 | + ], |
| 2453 | + "RelatedModules": [ |
| 2454 | + "exploit/linux/http/fortinet_fortiweb_rce" |
2452 | 2455 | ] |
2453 | 2456 | }, |
2454 | 2457 | "session_types": false, |
|
74570 | 74573 | "session_types": false, |
74571 | 74574 | "needs_cleanup": null |
74572 | 74575 | }, |
| 74576 | + "exploit_linux/http/fortinet_fortiweb_rce": { |
| 74577 | + "name": "Fortinet FortiWeb unauthenticated RCE", |
| 74578 | + "fullname": "exploit/linux/http/fortinet_fortiweb_rce", |
| 74579 | + "aliases": [], |
| 74580 | + "rank": 600, |
| 74581 | + "disclosure_date": "2025-11-14", |
| 74582 | + "type": "exploit", |
| 74583 | + "author": [ |
| 74584 | + "Defused", |
| 74585 | + "sfewer-r7" |
| 74586 | + ], |
| 74587 | + "description": "This exploit module exploits an authentication bypass via path traversal vulnerability in the Fortinet\n FortiWeb management interface to create a new local administrator user account. From there a command\n injection vulnerability is leveraged to achieve RCE with root privileges.\n\n The auth bypass CVE-2025-64446 affects the following versions:\n\n * FortiWeb 8.0.0 through 8.0.1 (Patched in 8.0.2 and above)\n * FortiWeb 7.6.0 through 7.6.4 (Patched in 7.6.5 and above)\n * FortiWeb 7.4.0 through 7.4.9 (Patched in 7.4.10 and above)\n * FortiWeb 7.2.0 through 7.2.11 (Patched in 7.2.12 and above)\n * FortiWeb 7.0.0 through 7.0.11 (Patched in 7.0.12 and above)\n\n The command injection CVE-2025-58034 affects the following versions (Note the 7.6 and 7.4 branches are very\n slightly different when compared to the patch versions for CVE-2025-64446:\n\n * FortiWeb 8.0.0 through 8.0.1 (Patched in 8.0.2 and above)\n * FortiWeb 7.6.0 through 7.6.5 (Patched in 7.6.6 and above) <-- slight difference\n * FortiWeb 7.4.0 through 7.4.10 (Patched in 7.4.11 and above) <-- slight difference\n * FortiWeb 7.2.0 through 7.2.11 (Patched in 7.2.12 and above)\n * FortiWeb 7.0.0 through 7.0.11 (Patched in 7.0.12 and above)", |
| 74588 | + "references": [ |
| 74589 | + "CVE-2025-64446", |
| 74590 | + "CVE-2025-58034", |
| 74591 | + "URL-https://attackerkb.com/topics/zClpINmLCh/cve-2025-58034/rapid7-analysis", |
| 74592 | + "URL-https://x.com/defusedcyber/status/1975242250373517373", |
| 74593 | + "URL-https://github.com/watchtowrlabs/watchTowr-vs-Fortiweb-AuthBypass", |
| 74594 | + "URL-https://www.pwndefend.com/2025/11/13/suspected-fortinet-zero-day-exploited-in-the-wild/", |
| 74595 | + "URL-https://www.rapid7.com/blog/post/etr-critical-vulnerability-in-fortinet-fortiweb-exploited-in-the-wild/", |
| 74596 | + "URL-https://www.fortiguard.com/psirt/FG-IR-25-910", |
| 74597 | + "URL-https://www.fortiguard.com/psirt/FG-IR-25-513" |
| 74598 | + ], |
| 74599 | + "platform": "Unix", |
| 74600 | + "arch": "cmd", |
| 74601 | + "rport": 443, |
| 74602 | + "autofilter_ports": [ |
| 74603 | + 80, |
| 74604 | + 8080, |
| 74605 | + 443, |
| 74606 | + 8000, |
| 74607 | + 8888, |
| 74608 | + 8880, |
| 74609 | + 8008, |
| 74610 | + 3000, |
| 74611 | + 8443 |
| 74612 | + ], |
| 74613 | + "autofilter_services": [ |
| 74614 | + "http", |
| 74615 | + "https" |
| 74616 | + ], |
| 74617 | + "targets": [ |
| 74618 | + "Default" |
| 74619 | + ], |
| 74620 | + "mod_time": "2025-11-25 11:25:41 +0000", |
| 74621 | + "path": "/modules/exploits/linux/http/fortinet_fortiweb_rce.rb", |
| 74622 | + "is_install_path": true, |
| 74623 | + "ref_name": "linux/http/fortinet_fortiweb_rce", |
| 74624 | + "check": true, |
| 74625 | + "post_auth": false, |
| 74626 | + "default_credential": false, |
| 74627 | + "notes": { |
| 74628 | + "Stability": [ |
| 74629 | + "crash-safe" |
| 74630 | + ], |
| 74631 | + "Reliability": [ |
| 74632 | + "repeatable-session" |
| 74633 | + ], |
| 74634 | + "SideEffects": [ |
| 74635 | + "ioc-in-logs" |
| 74636 | + ], |
| 74637 | + "RelatedModules": [ |
| 74638 | + "auxiliary/admin/http/fortinet_fortiweb_create_admin" |
| 74639 | + ] |
| 74640 | + }, |
| 74641 | + "session_types": false, |
| 74642 | + "needs_cleanup": null |
| 74643 | + }, |
74573 | 74644 | "exploit_linux/http/fritzbox_echo_exec": { |
74574 | 74645 | "name": "Fritz!Box Webcm Unauthenticated Command Injection", |
74575 | 74646 | "fullname": "exploit/linux/http/fritzbox_echo_exec", |
@@ -250151,7 +250222,7 @@ |
250151 | 250222 | "autofilter_ports": null, |
250152 | 250223 | "autofilter_services": null, |
250153 | 250224 | "targets": null, |
250154 | | - "mod_time": "2025-11-25 20:07:48 +0000", |
| 250225 | + "mod_time": "2025-11-25 20:22:31 +0000", |
250155 | 250226 | "path": "/etc/shadow", |
250156 | 250227 | "is_install_path": null, |
250157 | 250228 | "ref_name": "linux/riscv32le/chmod", |
@@ -250254,7 +250325,7 @@ |
250254 | 250325 | "autofilter_ports": null, |
250255 | 250326 | "autofilter_services": null, |
250256 | 250327 | "targets": null, |
250257 | | - "mod_time": "2025-11-25 20:07:48 +0000", |
| 250328 | + "mod_time": "2025-11-25 20:22:31 +0000", |
250258 | 250329 | "path": "/etc/shadow", |
250259 | 250330 | "is_install_path": null, |
250260 | 250331 | "ref_name": "linux/riscv64le/chmod", |
|
0 commit comments