FortiWeb 8.0.2 - Remote Code Execution Exploit Disclosed

FortiWeb 8.0.2 - Remote Code Execution Exploit Disclosed

🚨 A critical Remote Code Execution (RCE) vulnerability has been disclosed in FortiWeb appliances, identified as CVE-2025-64446. This vulnerability, reported by Mohammed Idrees Banyamer, has a CVSS score of 9.8 (Critical) and affects versions of FortiWeb below 7.6.7, 7.8.7, and 8.0.2.

Key Details:

• Affected Versions: FortiWeb < 7.6.7, < 7.8.7, < 8.0.2
• Exploit Tested On: FortiWeb 7.4.2, 7.6.0, 7.6.1 (VM builds)

Exploit Process:

1. Creating temporary admin user - A temporary admin user is created via the /api/v2.0/user/local.add endpoint.
2. Logging in with new admin - An authenticated session is established via /api/v2.0/login.
3. Uploading webshell via backup function - A base64 encoded PHP webshell is posted as ‘pwned.dat’ to the /api/v2.0/system/maintenance/backup endpoint.
4. Triggering reverse shell - A GET request is made to /pwned.dat on the target.
5. Cleaning up temporary admin account - The temporary user is deleted via /api/v2.0/user/local.delete.

Impact:

The successful execution of this exploit can lead to full system compromise and provide a root reverse shell to the attacker.

Recommended Action:

To mitigate this vulnerability, it is advised to upgrade to FortiWeb 7.6.7, 7.8.7, 8.0.2 or later.

For further details, please refer to the advisory: Read full article

---

Stay informed and secure! 🔒