module
FortiOS Path Traversal Credential Gatherer
| Disclosed | Created |
|---|---|
| N/A | Feb 27, 2021 |
Disclosed
N/A
Created
Feb 27, 2021
Description
Fortinet FortiOS versions 5.4.6 to 5.4.12, 5.6.3 to 5.6.7 and 6.0.0 to
6.0.4 are vulnerable to a path traversal vulnerability within the SSL VPN
web portal which allows unauthenticated attackers to download FortiOS system
files through specially crafted HTTP requests.
This module exploits this vulnerability to read the usernames and passwords
of users currently logged into the FortiOS SSL VPN, which are stored in
plaintext in the "/dev/cmdb/sslvpn_websession" file on the VPN server.
6.0.4 are vulnerable to a path traversal vulnerability within the SSL VPN
web portal which allows unauthenticated attackers to download FortiOS system
files through specially crafted HTTP requests.
This module exploits this vulnerability to read the usernames and passwords
of users currently logged into the FortiOS SSL VPN, which are stored in
plaintext in the "/dev/cmdb/sslvpn_websession" file on the VPN server.
Authors
Meh Chang
Orange Tsai
lynx (Carlos Vieira)
mekhalleh (RAMELLA Sébastien)
Orange Tsai
lynx (Carlos Vieira)
mekhalleh (RAMELLA Sébastien)
References
Module Options
To display the available options, load the module within the Metasploit console and run the commands 'show options' or 'show advanced':
Rapid7 Labs
2026 Global Threat Landscape Report
The predictive window has collapsed. Exploitation follows disclosure in days. See how attackers are accelerating and how to stay ahead.