module
Fortinet FortiWeb unauthenticated RCE
| Disclosed | Created |
|---|---|
| Nov 14, 2025 | Nov 26, 2025 |
Disclosed
Nov 14, 2025
Created
Nov 26, 2025
Description
This exploit module exploits an authentication bypass via path traversal vulnerability in the Fortinet
FortiWeb management interface to create a new local administrator user account. From there a command
injection vulnerability is leveraged to achieve RCE with root privileges.
The auth bypass CVE-2025-64446 affects the following versions:
* FortiWeb 8.0.0 through 8.0.1 (Patched in 8.0.2 and above)
* FortiWeb 7.6.0 through 7.6.4 (Patched in 7.6.5 and above)
* FortiWeb 7.4.0 through 7.4.9 (Patched in 7.4.10 and above)
* FortiWeb 7.2.0 through 7.2.11 (Patched in 7.2.12 and above)
* FortiWeb 7.0.0 through 7.0.11 (Patched in 7.0.12 and above)
The command injection CVE-2025-58034 affects the following versions (Note the 7.6 and 7.4 branches are very
slightly different when compared to the patch versions for CVE-2025-64446:
* FortiWeb 8.0.0 through 8.0.1 (Patched in 8.0.2 and above)
* FortiWeb 7.6.0 through 7.6.5 (Patched in 7.6.6 and above) * FortiWeb 7.4.0 through 7.4.10 (Patched in 7.4.11 and above) * FortiWeb 7.2.0 through 7.2.11 (Patched in 7.2.12 and above)
* FortiWeb 7.0.0 through 7.0.11 (Patched in 7.0.12 and above)
Note: Unsupported versions 6.* are also affected.
This exploit module has been confirmed to work against 8.0.1, 7.4.8, 6.4.3, and 6.3.9.
FortiWeb management interface to create a new local administrator user account. From there a command
injection vulnerability is leveraged to achieve RCE with root privileges.
The auth bypass CVE-2025-64446 affects the following versions:
* FortiWeb 8.0.0 through 8.0.1 (Patched in 8.0.2 and above)
* FortiWeb 7.6.0 through 7.6.4 (Patched in 7.6.5 and above)
* FortiWeb 7.4.0 through 7.4.9 (Patched in 7.4.10 and above)
* FortiWeb 7.2.0 through 7.2.11 (Patched in 7.2.12 and above)
* FortiWeb 7.0.0 through 7.0.11 (Patched in 7.0.12 and above)
The command injection CVE-2025-58034 affects the following versions (Note the 7.6 and 7.4 branches are very
slightly different when compared to the patch versions for CVE-2025-64446:
* FortiWeb 8.0.0 through 8.0.1 (Patched in 8.0.2 and above)
* FortiWeb 7.6.0 through 7.6.5 (Patched in 7.6.6 and above) * FortiWeb 7.4.0 through 7.4.10 (Patched in 7.4.11 and above) * FortiWeb 7.2.0 through 7.2.11 (Patched in 7.2.12 and above)
* FortiWeb 7.0.0 through 7.0.11 (Patched in 7.0.12 and above)
Note: Unsupported versions 6.* are also affected.
This exploit module has been confirmed to work against 8.0.1, 7.4.8, 6.4.3, and 6.3.9.
Authors
Defused
sfewer-r7
sfewer-r7
Platform
Linux,Unix
Architectures
cmd
References
Module Options
To display the available options, load the module within the Metasploit console and run the commands 'show options' or 'show advanced':
NEW
Explore Exposure Command
Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.