Fortinet FortiWeb Relative Path Traversal Authentication Bypass

Repository contains a FortiWeb CVE-2025-64446 exploit, a Nuclei detection template, and a larger Python scanner/classifier. Because the repository includes a Nuclei template, the framework is identified as nuclei, but the repo is not limited to framework content; the main offensive capability is in CVE-2025-64446.py. That script is a standalone Python exploit that takes a target in host:port format, disables TLS verification, and sends a POST request to the traversal endpoint /api/v2.0/cmdb/system/admin%3f/../../../../../cgi-bin/fwbcgi. It forges a CGIINFO header containing base64-encoded JSON impersonating admin context and submits a JSON body that creates a new local administrator with prof_admin privileges, unrestricted trust hosts, and a generated password. If the server returns HTTP 200, the script reports the newly created credentials. The included CVE-2025-64446.yaml is a Nuclei template for safe detection only: it posts to the same traversal path and matches on HTTP 200 plus response content such as errcode/admin while excluding 403. The larger RCE-Fortiweb.py file is not an RCE exploit despite its name; from the visible code it is a concurrent scanner/classifier that probes /api/v2.0/cmdb/system/admin/../../../../../cgi-bin/fwbcgi, follows redirects, inspects response bodies/headers, and labels targets as VULNERABLE, PATCHED, POSSIBLY PATCHED, or INDETERMINATE. Overall, the repository’s purpose is to exploit and detect Fortinet FortiWeb authentication bypass/path traversal leading to unauthenticated administrator creation on affected versions.

This repository contains a working exploit for CVE-2025-64446, a critical unauthenticated path traversal vulnerability in Fortinet FortiWeb appliances (versions prior to 8.0.2). The exploit is implemented in Python (CVE-2025-64446.py) and automates the process of creating a new local administrator account on a vulnerable FortiWeb device by sending a specially crafted POST request to a hidden CGI endpoint. The exploit takes a single target or a file of targets, attempts exploitation, and writes results (including credentials for any successfully created admin accounts) to a local file. The README.md provides extensive background, impact, IOCs, and defensive recommendations. The main attack vector is network-based, targeting the management interface over HTTPS. The endpoint '/api/v2.0/cmdb/system/admin%3f/../../../../../cgi-bin/fwbcgi' is fingerprintable and central to the exploit. The exploit is operational, providing real admin access if successful, but does not include post-exploitation payloads beyond account creation.

This repository provides a comprehensive exploit toolkit for CVE-2025-64446, a critical path traversal and remote code execution vulnerability in Fortinet FortiWeb WAF. The repository contains two main Python scripts: 1. cve_2025_64446_fortiweb_exploit.py: A full-featured exploit tool that automates detection of FortiWeb WAF, tests for path traversal using multiple payload variations, attempts to read sensitive files (such as configuration files and /etc/passwd), uploads a webshell, and executes arbitrary commands on the target. It supports scanning multiple targets, proxy usage, multi-threading, and outputs results in JSON format. 2. cve_2025_64446_poc.py: A simple proof-of-concept script that demonstrates the vulnerability by attempting to read arbitrary files via path traversal, confirming the presence of the vulnerability without causing harm. The exploit works by sending HTTP requests with crafted path traversal payloads to endpoints on the target FortiWeb instance. If successful, it can read sensitive files and escalate to remote code execution. The scripts are intended for authorized security testing and research only. The repository also includes a README with detailed usage instructions, mitigation advice, and references to official advisories. No hardcoded IP addresses or domains are present; the scripts operate on user-supplied targets. The main fingerprintable endpoints are the path traversal payloads and standard FortiWeb detection endpoints (e.g., /login, /index.html).

This repository contains a working exploit for a critical unauthenticated remote code execution (RCE) chain affecting Fortinet FortiWeb appliances. The exploit leverages two vulnerabilities: CVE-2025-64446 (authentication bypass via relative path traversal) and CVE-2025-58034 (authenticated OS command injection). The provided Python script (exploit.py) automates the first stage of the attack by sending a crafted POST request to the vulnerable endpoint (/api/v2.0/cmdb/system/admin%3f/../../../../../cgi-bin/fwbcgi) to create a new administrative user without prior authentication. The script accepts the target IP/hostname and optional username/password for the new admin account. Once the account is created, the attacker can log in and exploit the command injection vulnerability to execute arbitrary commands as root (the second stage is described in the README but not fully automated in the script). The repository also includes a requirements.txt for dependencies and a detailed README.md explaining the vulnerabilities, usage, and impact. The exploit is operational and provides a clear path to full system compromise on affected FortiWeb versions.

This repository contains a proof-of-concept exploit for CVE-2025-64446, targeting Fortinet FortiWeb appliances. The exploit is implemented in a single script (CVE-2025-64446.py) and demonstrates an unauthenticated remote code execution (RCE) vulnerability via a combination of path traversal and CGI authentication bypass. The script crafts a base64-encoded header and a JSON payload to create a new administrative user on the target system by sending a specially crafted HTTP POST request to a vulnerable API endpoint (https://localhost:38443/api/v2.0/cmdb/system/admin%3f/../../../cgi-bin/fwbcgi). The exploit uses 'curl' via subprocess to perform the attack. The repository also includes a README.md briefly describing the vulnerability and a standard GNU GPL license file. No detection scripts or fake code are present; the exploit is functional and demonstrates the vulnerability by creating a new admin user.

This repository contains a working proof-of-concept exploit for CVE-2025-64446, a critical unauthenticated remote code execution vulnerability in Fortinet FortiWeb appliances. The exploit is implemented in a single Python script (cve-2025-64446.py) and is accompanied by a detailed README.md explaining the vulnerability and usage instructions. The exploit leverages a path traversal flaw to reach an internal CGI handler, forges authentication headers, and sends a crafted JSON payload to create a new local administrative user on the target device. The script requires the attacker to specify the target's IP address and port in the format <host:port>. Upon successful exploitation, the script outputs the credentials for the newly created admin user, granting the attacker full administrative access to the device. The attack is fully remote, requires no prior authentication, and is executed via a single HTTPS POST request to a vulnerable endpoint. No hardcoded IPs or domains are present; the target is specified at runtime. The repository is well-structured, with clear separation between documentation and exploit code.

This repository contains a Python exploit (exploit_forti.py) targeting CVE-2025-64446 in Fortinet FortiWeb (WAF) appliances. The exploit allows an attacker to create a new local admin user with a known password by sending a specially crafted POST request to a vulnerable endpoint on the target device. The script can take a single target or a file containing multiple targets, and attempts exploitation over HTTPS (default port 443, but customizable). Results, including successful credentials, are saved to a local file (fortiweb_exploit_results.txt). The repository also includes a README.md with usage instructions and a sample result screenshot. The exploit is operational, providing real administrative access if the target is vulnerable. No detection-only or fake code is present; the exploit is functional and focused on privilege escalation via user creation.

This repository provides a Python-based exploit tool for CVE-2025-64446, a path traversal vulnerability in Fortinet FortiWeb web application firewalls. The repository contains three files: a detailed README.md with usage instructions, a requirements.txt listing dependencies (requests, urllib3), and the main exploit script exploit.py. The exploit.py script allows users to verify if a FortiWeb device is vulnerable by attempting to access internal API endpoints using crafted path traversal payloads. If the device is found vulnerable, the tool can exploit the CGI endpoint to create or modify user accounts, effectively allowing privilege escalation or unauthorized access. The tool supports both single and multiple targets, configurable via command-line arguments or a file. All network interactions are performed over HTTP or HTTPS (default port 443), and the endpoints targeted are specific to FortiWeb's internal API structure. The exploit is operational, providing both detection and exploitation capabilities, and is intended for authorized security testing only.

This repository provides a proof-of-concept (PoC) and a research tool for CVE-2025-64446, a critical path traversal vulnerability in Fortinet FortiWeb. The repository contains six files: a disclaimer, license, README, requirements, and two Python scripts ('exploit.py' and 'poc.py'). The README details the affected FortiWeb versions and usage instructions. The 'poc.py' script is a detection tool that checks if a target is vulnerable by sending crafted HTTP(S) requests with path traversal payloads to specific API endpoints and attempts to gather system information. The 'exploit.py' script is a non-destructive research tool that probes the same endpoints to collect response data, but does not execute any commands or alter the system. Both scripts require Python 3.6+ and the 'requests' library. The main attack vector is network-based, targeting the FortiWeb web interface over HTTP or HTTPS. The endpoints targeted are administrative and configuration APIs, accessed via path traversal sequences. No destructive or post-exploitation payloads are included; the tools are strictly for detection and research purposes.