Core Impact Chronicle: Exploits and Updates | Q1 2026

Core Impact Exploit Library Additions

One of Core Impact’s most valuable features is its certified exploit library, maintained by a team (formerly Core Labs) within the Fortra Intelligence & Research Experts (FIRE) group. This team conducts in-depth research to evaluate and prioritize the most critical vulnerabilities, ensuring the library is updated with high-impact, reliable exploits that enable pen testers to use the same techniques as modern real-world threats.

While you can keep track of new releases through our  exploit mailing list, our quarterly blogs provide a more detailed summary of recent additions to the library.

CVE-2026-21858, CVE-2025-68613: n8n Improper Input Validation Unauthenticated Remote Code Execution Vulnerability Chain

Authors: Esteban Kazimirow, Nahuel González (QA), Marcos Accossatto (QA), Daniel De Luca (QA)

CVSS:

CVE-2026-21858:  10.0 CRITICAL 

CVE-2025-68613:  9.9 CRITICAL 

Reference: CVE-2026-21858, CVE-2025-68613

Key Vulnerability Details

• CVE-2026-21858 is an unauthenticated input handling failure in n8n’s form-based webhook processing that allows attackers to read arbitrary local files and pivot to remote code execution through workflow abuse
• CVE-2025-68613 is a critical workflow expression evaluation isolation failure that enables authenticated attackers to escape the workflow expression sandbox and execute arbitrary code within the n8n Node.js runtime during workflow execution
• Affected Versions: n8n 1.65.0 through 1.120.x for CVE-2026-21858, and 0.211.0 through 1.120.3 / 1.121.0 for CVE-2025-68613
• CWE Classification: CVE-2026-21858 is classified as Improper Input Validation (CWE-20) and CVE-2025-68613 is classified as Improper Neutralization/Isolation of Code (CWE-94)

Exploitation Impact and Mitigation

• Successful exploitation enables unauthenticated attackers to read sensitive files, forge administrative access tokens, and create malicious workflows to execute arbitrary OS commands, facilitating credential theft, lateral movement, and full automation stack compromise.
• Patch Availability: n8n released security updates addressing these vulnerabilities in coordinated releases issued in November 2025, with fixes delivered starting in version 1.121.0 and later maintained branches.

Attacks in the Wild

• CVE-2025-68613 has been actively exploited in the wild
• CISA has added CVE-2025-68613 vulnerability to the Known Exploited Vulnerabilities Catalog and issued an alert noting that it “poses significant risks to the federal enterprise.”
• Though no attacks have been reported, CVE-2026-21858 (“Ni8mare”) exposure scans identified tens of thousands of internet-facing n8n instances at risk of full compromise prior to patching.

Exploitation Mechanism

1. The exploit module sends a crafted request to a vulnerable unauthenticated n8n form endpoint, abusing improper input validation to read arbitrary files from the underlying filesystem. 
2. Using the file read primitive, the module extracts the n8n home directory path along with sensitive configuration files containing instance metadata and encryption key material. 
3. The module then reads the n8n SQLite database to obtain administrator account data stored in the application datastore. 
4. With the recovered encryption material and administrator metadata, the module then forges a valid authenticated administrator token. 
5. Leveraging the forged administrator access, the module creates a malicious workflow through the n8n API.
6. The crafted workflow is used to execute operating system commands and deploy a Core Impact OSCI agent on the n8n target.

7. The deployed agent will run with the privileges of the n8n service account.

    

CVE‑2026‑21513: Microsoft MSHTML Framework Security Feature Bypass Vulnerability

Authors: Ricardo Narvaja, Nahuel González (QA)

CVSS:  8.8 HIGH 

Reference: CVE-2026-21513

Key Vulnerability Details

• CVE‑2026‑21513 is a client‑side security boundary enforcement failure in the Microsoft MSHTML framework that allows remote attackers to bypass Windows trust and execution controls through user‑triggered content, resulting in arbitrary code execution within the victim’s desktop session 
• The flaw stems from insufficient validation in MSHTML hyperlink navigation logic within ieframe.dll, enabling attacker‑controlled input to reach code paths that invoke ShellExecuteExW and execute local resources outside the intended browser security context, effectively bypassing Mark‑of‑the‑Web protections 
•  Affected versions: Microsoft Windows 10, Windows 11, and Windows Server platforms prior to the February 2026 security updates 
• Classified as: Protection Mechanism Failure (CWE-693)

Exploitation Impact and Mitigation

• Successful exploitation allows attackers to convince users to open malicious HTML or shortcut files that bypass SmartScreen and Mark‑of‑the‑Web enforcement, enabling execution of attacker‑supplied DLLs, payload staging, and post‑exploitation activity within the user context, commonly as part of multi‑stage phishing campaigns. 
• Patch Availability: Microsoft released updates addressing this vulnerability as part of the February 2026 Patch Tuesday security update, remediating all supported Windows versions listed above. 

Attacks in the Wild

• CVE‑2026‑21513 has been actively exploited in the wild as a zero‑day, with campaigns attributed to the Russia‑linked threat actor APT28, leveraging malicious HTML and .lnk files to bypass Mark‑of‑the‑Web and deliver follow‑on payloads prior to patch release 
• CISA has added CVE‑2026‑21513 to the Known Exploited Vulnerabilities (KEV) Catalog.

Exploitation Mechanism

1. The exploit module generates a malicious DLL containing a Core Impact agent and places it on an attacker‑controlled SMB file share accessible to the target.
2. It then creates a crafted Windows shortcut (.lnk) file that references attacker‑supplied HTML content processed through the MSHTML framework.
3. The tester coerces the target into downloading and opening the .lnk file, triggering MSHTML rendering within a trusted Windows component.
4. Improper security context enforcement allows the embedded HTML to bypass Mark‑of‑the‑Web checks and invoke vulnerable hyperlink navigation logic in ieframe.dll.

5. The vulnerable code path calls ShellExecuteExW, causing the attacker‑controlled DLL to be loaded and executed within the victim’s Windows session, enabling deployment of the Core Impact agent and follow‑on post‑exploitation activity.

    

CVE‑2025‑14558: FreeBSD rtsold IPv6 Router Advertisement Remote Command Execution Vulnerability

Authors: Esteban Kazimirow, Nahuel González (QA), Daniel De Luca (QA)

CVSS:  7.2 HIGH 

Reference: CVE-2025-14558

Key Vulnerability Details

• CVE‑2025‑14558 is a network‑accessible input handling failure in the FreeBSD IPv6 router solicitation subsystem that allows a malicious node on the local network to inject and execute arbitrary shell commands during router advertisement processing, resulting in remote code execution with root privileges on the target system 
• The flaw stems from rtsold(8) and rtsol(8) passing unvalidated Domain Search List (DNSSL) data from IPv6 Router Advertisement messages directly to the resolvconf(8) shell script, which fails to properly quote user‑controlled input and interprets embedded shell metacharacters as executable code 
• Affected versions: FreeBSD 13.x, 14.x, and 15.x systems prior to the security fixes released on December 16, 2025 
• Classified as: Improper Neutralization of Special Elements used in an OS Command (Command Injection) (CWE-78)

Exploitation Impact and Mitigation

• Successful exploitation enables a tester on the same Layer‑2 network segment to send a single crafted IPv6 Router Advertisement that is accepted by the target, leading to arbitrary command execution as root, full system compromise, and the ability to deploy persistent network or host‑based implants 
• Patch Availability: The FreeBSD Project released an update addressing this vulnerability as part of Security Advisory FreeBSD‑SA‑25:12.rtsold, remediating all supported FreeBSD branches listed above.

Attacks in the Wild

• CVE‑2025‑14558 has not been widely reported as exploited in targeted campaigns, but multiple public proof‑of‑concept exploits have been released demonstrating reliable command injection via malicious DNSSL options, significantly lowering the barrier to abuse on internal networks.

Exploitation Mechanism

1. The exploit module constructs a raw Ethernet packet to ensure IPv6 Router Advertisement traffic reaches the target interface without operating system filtering.
2. It generates a malicious IPv6 Router Advertisement message advertising the tester as a legitimate router on the local network.
3. The module calculates and inserts valid checksums so the FreeBSD kernel on the target accepts and processes the packet.
4. Malicious shell syntax is embedded inside the Domain Search List (DNSSL) option payload using a format that triggers command interpretation when passed to resolvconf(8).

5. When the target processes the crafted router advertisement, rtsold(8) forwards the unvalidated DNSSL data to the resolvconf(8) shell script, resulting in execution of tester‑controlled commands with root privileges and deployment of the network agent under full administrative context.

    

CVE-2026-20841: Microsoft Windows Notepad Markdown Command Injection Exploit

Authors: Esteban Kazimirow, Nahuel González (QA), Daniel De Luca (QA)

CVSS:  7.8 HIGH 

Reference: CVE-2026-20841

Key Vulnerability Details

• CVE-2026-20841 is an improper input handling failure that allows an unauthorized attacker to execute arbitrary commands by abusing Markdown link handling in the Windows Notepad application, resulting in code execution within the current user context 
• The flaw stems from insufficient neutralization of special elements in Markdown hyperlink processing, where attacker-controlled link targets are passed into Windows shell or protocol handlers without adequate validation, enabling command injection through non-HTTP(S) URI schemes
• Affected Versions: Windows Notepad (Microsoft Store app) versions prior to 11.2512 
• CWE Classification:  Improper Neutralization of Special Elements used in a Command (‘Command Injection’) ( CWE-77 )

Exploitation Impact and Mitigation

• Successful exploitation enables unauthorized attackers to leverage user interaction with crafted Markdown files to trigger arbitrary command execution, deploy follow-on payloads, and establish post-exploitation access with the privileges of the logged-in user, commonly suitable for phishing-style client-side attack chains.
• Patch Availability: Microsoft released an update addressing this vulnerability as part of the February 2026 Patch Tuesday security updates, remediating affected Notepad versions through Microsoft Store updates and Windows servicing channels.

Attacks in the Wild

• Public reporting indicates that CVE-2026-20841 has been disclosed and weaponizable via proof-of-concept Markdown files abusing file:// and ms-appinstaller:// links, but no large-scale intrusions or sustained exploitation campaigns have been publicly attributed to this vulnerability 
• No major attacks have been reported at this time.

Exploitation Mechanism

1. The exploit module prepares a malicious Markdown (.md) file containing crafted hyperlink elements with attacker-controlled URI schemes that embed command injection primitives. 
2. The tester delivers the malicious Markdown file to the target and coerces the target into opening it with a vulnerable Microsoft Windows Notepad version. 
3. Upon interaction with the embedded link, Notepad processes the Markdown hyperlink and improperly forwards the attacker-supplied URI to Windows shell or protocol handling logic without sufficient sanitization. 
4. The vulnerable code path allows special characters and non-HTTP(S) schemes to reach command execution contexts, resulting in execution of attacker-controlled commands within the current user’s session.

5. With command execution achieved, the module deploys a Core Impact agent on the target system, enabling post-exploitation activity with the privileges of the affected user. 

    

CVE-2025-40554: SolarWinds Web Help Desk Authentication Bypass Vulnerability

Authors: Esteban Kazimirow, Nahuel González (QA), Daniel De Luca (QA)

CVSS:  9.8 CRITICAL 

Reference: CVE-2025-40554

Key Vulnerability Details

• CVE-2025-40554 is an authentication enforcement failure that stems from improper validation in the WebObjects request handling logic, where a crafted request containing manipulated badparam parameters is processed without enforcing authentication checks, enabling direct access to protected administrative routes. 
• Affected Versions: SolarWinds Web Help Desk versions up to (excluding) 2026.1
• CWE Classification: Weak Authentication (CWE-1390) 

Exploitation Impact and Mitigation

• Successful exploitation enables unauthenticated attackers to bypass login controls, obtain an administrative session, and directly access the Web Help Desk administrative panel, exposing configuration data, authentication settings, and privileged functionality that can be abused for further compromise. 
• Patch Availability: SolarWinds released an update addressing this vulnerability as part of the Web Help Desk 2026.1 release, remediating affected versions listed above. 

Attacks in the Wild

• This vulnerability was identified as being actively exploited a week after the security flaw was disclosed. 
• CISA has added this vulnerability to Known Exploited Vulnerabilities (KEV) Catalog and issued an alert noting that it “poses a significant risk to the federal enterprise.”

Exploitation Mechanism

1. The exploit module connects to the target SolarWinds Web Help Desk instance and retrieves initial session cookies by issuing an unauthenticated HTTP request.
2. It then searches response headers, cookies, and returned HTML content to identify the active WebObjects session identifier associated with the service.
3. Using the recovered session context, the module accesses a special internal route while injecting manipulated badparam parameters to test authentication bypass behavior.
4. Improper input validation of the badparam parameter allows the request to bypass normal authentication enforcement, resulting in the creation of an administrative session without valid credentials.

5. The module then constructs a direct URL leveraging the authenticated administrative context, granting unauthorized access to the Web Help Desk administrative panel and privileged application functions.

    

CVE-2025-52691: SmarterTools SmarterMail Unauthenticated Arbitrary File Upload Remote Code Execution Vulnerability

Authors: Ricardo Narvaja, Daniel De Luca (QA)

CVSS:  10.0 CRITICAL 

Reference: CVE-2025-52691

Key Vulnerability Details

• CVE-2025-52691 is a maximum security flaw that allows remote attackers to write arbitrary files to attacker‑controlled paths on the SmarterMail server, resulting in remote code execution within the mail service 
• The flaw stems from improper input validation in the SmarterMail upload API, allowing directory traversal sequences in upload metadata to bypass intended path restrictions and place attacker‑supplied files in executable locations 
• Affected versions: SmarterTools SmarterMail versions prior to 100.0.9413 
• Classified as: Unrestricted Upload of File with Dangerous Type (CWE 434) 

Exploitation Impact and Mitigation

• Successful exploitation enables unauthenticated attackers to achieve full remote code execution by uploading and executing web shells, potentially leading to complete mail server compromise, credential harvesting, persistent access, and lateral movement within enterprise environments 
• Patch Availability: SmarterTools released a new build addressing this vulnerability as part of coordinated SmarterMail security updates issued in October 2025, remediating affected builds prior to 100.0.9413 
• As an additional mitigation, organizations should restrict public exposure of SmarterMail administrative services and treat any unpatched or previously exposed instances as potentially compromised pending incident response review 

Attacks in the Wild

• CVE-2025-52691 has been actively exploited in the wild, with attackers abusing unauthenticated file upload capabilities to deploy ASPX web shells and achieve SYSTEM‑level remote code execution on vulnerable SmarterMail servers 
• CISA has added CVE-2025-52691 to Known Exploited Vulnerabilities (KEV) Catalog.

Exploitation Mechanism

1. The exploit module first verifies that the target SmarterMail service is accessible and listening on its default administrative port, TCP/9998.
2. It sends a specially crafted multipart/form‑data POST request to a vulnerable, unauthenticated upload endpoint, embedding directory traversal sequences within attacker‑controlled upload parameters.
3. The request abuses improper input validation to bypass upload directory restrictions, allowing an ASPX web shell to be written to attacker‑chosen locations such as the SmarterMail web root or the underlying IIS web server directory.
4. After a successful upload, the module attempts to access the deployed web shell via HTTP, first through the SmarterMail service and subsequently through the IIS service on TCP/80 when available.

5. The uploaded web shell executes arbitrary operating system commands supplied via HTTP query parameters, enabling interactive command execution and optional deployment of a Core Impact agent using a fileless HTA technique when IIS access is present.

    

CVE-2026-24061: GNU Inetutils telnetd Authentication Bypass Remote Code Execution Vulnerability

Authors: Marcos Accossatto, Daniel De Luca (QA)

CVSS:  9.8 CRITICAL 

Reference: CVE-2026-24061

Key Vulnerability Details

• CVE-2026-24061 is a remote authentication enforcement failure in GNU Inetutils telnetd that allows unauthenticated attackers to bypass login controls and reach privileged execution paths over the network, resulting in arbitrary command execution
• The flaw stems from unsafe handling of the USER environment variable during Telnet NEW_ENVIRON option negotiation, enabling argument injection into the backend login process by supplying crafted values passed directly to /usr/bin/login
• Affected Versions: GNU Inetutils telnetd 1.9.3 through 2.7
• CWE Classification: Argument Injection (CWE-88)

Exploitation Impact and Mitigation

• Successful exploitation enables attackers to execute arbitrary commands as the root user, deploy persistent network agents, establish long-term privileged access, and perform follow-on actions such as credential harvesting, lateral movement, and full host takeover across exposed Telnet services.
• Patch Availability: GNU Inetutils released updates addressing this vulnerability as part of subsequent security releases, remediating affected versions listed above by sanitizing environment variable handling and blocking unsafe argument propagation. 

Attacks in the Wild

• CVE-2026-24061 has been actively exploited in the wild following public disclosure, with multiple campaigns observed abusing trivial USER environment variable injection over exposed Telnet services to obtain immediate root shells on vulnerable systems.
• CISA has added CVE-2026-24061 to Known Exploited Vulnerabilities (KEV) Catalog 

Exploitation Mechanism

1. The exploit module establishes a telnet connection to the target system running a vulnerable GNU Inetutils telnetd service. 
2. During telnet option negotiation, the module sets the USER environment variable to the value -f root within the telnet session. 
3. The vulnerable telnetd process passes the crafted USER value directly to the system login binary without validation. 
4. The injected -f root argument causes the login process to bypass authentication and spawn a root privileged session. 

5. With root level execution obtained, the module deploys a network agent on the target, which runs with full root user privileges.

    

CVE-2025-3464: Asus Armoury Crate AsIO3.sys Authorization Bypass Local Privilege Escalation Vulnerability

Authors: Cristian Rubio, Daniel De Luca (QA)

CVSS:  8.4 HIGH 

Reference: CVE-2025-3464

Key Vulnerability Details

• CVE-2025-3464 is a race condition that allows local unprivileged attackers to bypass a kernel driver access control boundary, resulting in execution of privileged driver functionality beyond intended trust constraints. 
• The flaw stems from improper authorization validation in the AsIO3.sys driver, where a Time-of-Check Time-of-Use race condition combined with hard link manipulation allows attacker-controlled processes to be validated as trusted components. 
• Affected Versions: Asus Armoury Crate 5.9.9.0 through 6.1.18.0. 
• CWE Classification: Improper Authorization (CWE-285).

Exploitation Impact and Mitigation

• Successful exploitation enables attackers to abuse privileged driver interfaces to manipulate kernel memory, overwrite security-relevant kernel fields, and replace the current process token with the SYSTEM token, enabling unrestricted execution of arbitrary code with full operating system privileges and facilitating persistence, credential theft, and disabling of endpoint protections. 
• Patch Availability: ASUS released an update addressing this vulnerability as part of the Armoury Crate security update issued on June 16 2025, remediating affected versions listed above. 

Attacks in the Wild

• No major attacks have been reported at this time. 

Exploitation Mechanism

1. The exploit module leaks the kernel address of the current thread to establish a reliable reference point for subsequent kernel memory manipulation.
2. Using the recovered thread information, the module identifies and leaks the kernel address of the current process access token associated with the executing process.
3. The module then locates and leaks the kernel address of the SYSTEM process access token to prepare for privilege substitution.
4. With the required kernel objects identified, the module triggers the AsIO3.sys authorization bypass vulnerability through controlled hard link manipulation, gaining unauthorized access to privileged driver functionality.
5. Leveraging exposed driver primitives, the module overwrites the PreviousMode field of the current thread, temporarily forcing kernel-mode execution context.
6. While operating in the modified execution context, the module replaces the current process access token with the SYSTEM process token, effectively elevating privileges.

7. Finally, the module restores the original PreviousMode value to reestablish normal execution state and maintain system stability after privilege escalation.

    

CVE-2025-58034, CVE-2025-64446: Fortinet FortiWeb CLI SAML Configuration OS Command Injection Vulnerability Chain

Authors: Marcos Accossatto, Daniel De Luca (QA)

CVE-2026-21858:  7.2 HIGH 

CVE-2025-68613:  9.8 CRITICAL 

Reference: CVE-2025-58034, CVE-2025-64446 

Key Vulnerability Details

• CVE-2025-58034 is an OS Command Injection in Fortinet FortiWeb’s CLI SAML configuration processing that allows attackers to inject OS commands during configuration operations, resulting in command execution on the underlying appliance. 
• CVE-2025-64446 is a relative path traversal that allows an attacker to execute administrative commands on the system via crafted HTTP or HTTPS requests.
• Affected Versions: FortiWeb 8.0.0 through 8.0.1; 7.6.0 through 7.6.4/7.6.5 (per CVE scope); 7.4.0 through 7.4.9/7.4.10; 7.2.0 through 7.2.11; 7.0.0 through 7.0.11. 
• CWE Classification: CVE-2025-58034 is classified as Improper Neutralization of Special Elements used in an OS Command (CWE-78); CVE-2025-64446 is classified as Relative Path Traversal (CWE-23). 

Exploitation Impact and Mitigation

• Successful exploitation enables attackers to create or leverage administrative identities, access the FortiWeb CLI via management interfaces, and execute arbitrary OS commands as root, enabling appliance takeover, security control bypass, persistence, and downstream network compromise. 
• Patch Availability: Fortinet released updates addressing these vulnerabilities as part of coordinated FortiWeb security advisories and subsequent fixed releases 

Attacks in the Wild

• CVE-2025-64446 has been actively exploited in the wild to create rogue administrator accounts on internet-facing FortiWeb appliances, and has been observed chained with CVE-2025-58034 to achieve unauthenticated remote code execution. 
• CISA has issued a formal alert and added both CVE-2025-64446 and CVE-2025-58034 to the Known Exploited Vulnerabilities (KEV) Catalog, citing significant risk to enterprise environments. 

Exploitation Mechanism

1. The exploit module attempts to authenticate to the target FortiWeb management interface using supplied credentials; if none are provided, it exploits CVE-2025-64446 to create a new administrative user with random credentials.
2. Upon successful authentication, the module stores the obtained credentials as an identity and queries the /api/v2.0/system/state endpoint to determine the target system version.
3. The module selects an appropriate payload based on the retrieved FortiWeb version and switches to WebSocket communication via the /ws/cli/open endpoint to access the CLI.
4. Through the CLI channel, the module issues commands to create a new SAML configuration, embedding OS command payloads that trigger the authenticated command injection condition in CVE-2025-58034.

5. The injected commands deploy a Python agent on the target appliance, which executes with root privileges, establishing full control of the FortiWeb system.

    

CVE-2025-14847: MongoDB Unauthenticated Remote Memory Disclosure via Zlib-Compressed Protocol Headers

Authors: Esteban Kazimirow, Nahuel González (QA)

CVSS:  8.7 HIGH 

Reference: CVE-2025-14847

Key Vulnerability Details

• CVE-2025-14847 is an unauthenticated input length validation failure in MongoDB Server’s network message processing that allows remote attackers to trigger out-of-bounds memory reads across the pre-authentication boundary. 
• The flaw originates from improper validation of length parameters in Zlib-compressed OP_COMPRESSED protocol headers, causing the server to return uninitialized heap memory to the client during message decompression. 
• Affected Versions: MongoDB Server 3.6.x, 4.0.x, 4.2.x, 4.4.0 through 4.4.29, 5.0.0 through 5.0.31, 6.0.0 through 6.0.26, 7.0.0 through 7.0.27, 8.0.0 through 8.0.16, and 8.2.0 through 8.2.2 
• CWE Classification: Improper Handling of Length Parameter Inconsistency (CWE-130) 

Exploitation Impact and Mitigation

• Successful exploitation enables attackers to extract arbitrary fragments of MongoDB server heap memory, potentially exposing credentials, authentication tokens, API keys, configuration values, BSON document fragments, and other sensitive in-memory data that can be reused for secondary compromise, lateral movement, or service impersonation. 
• Patch Availability: MongoDB released updates addressing this vulnerability as part of coordinated December 2025 security releases, remediating affected versions listed above and deploying automatic fixes for MongoDB Atlas clusters. 

Attacks in the Wild

• CVE-2025-14847 has been actively exploited in the wild shortly after public disclosure, with multiple security firms reporting real-world abuse and over 87,000 potentially susceptible instances have been identified.
• CISA has added CVE-2025-14847 to the Known Exploited Vulnerabilities (KEV) Catalog, mandating remediation for affected federal systems. 

Exploitation Mechanism

1. The exploit module establishes a raw TCP connection to the target MongoDB server on the default service port 27017.
2. It sends crafted OP_COMPRESSED messages containing Zlib-compressed BSON payloads with intentionally inflated uncompressed length values.
3. The module iterates through manipulated document length fields, causing the server to allocate buffers larger than the actual decompressed data.
4. Due to improper length validation in the Zlib decompression logic, the target returns uninitialized heap memory fragments as part of protocol error responses.

5. The module extracts leaked memory contents from server responses, displays them in the module output, and optionally writes the collected memory data to disk for offline analysis and exploitation chaining.

    

CVE-2025-64446: Fortinet FortiWeb Relative Path Traversal Vulnerability Exploit

Authors: Marcos Accossatto, Daniel De Luca (QA) 

CVSS:  9.8 CRITICAL 

Reference: CVE-2025-64446

Key Vulnerability Details

• CVE-2025-64446 is a relative path traversal that allows an attacker to execute administrative commands on the system via crafted HTTP or HTTPS requests.
• Affected Versions: Fortinet FortiWeb 8.0.0 through 8.0.1, FortiWeb 7.6.0 through 7.6.4, FortiWeb 7.4.0 through 7.4.9, FortiWeb 7.2.0 through 7.2.11, FortiWeb 7.0.0 through 7.0.11
• CWE Classification: CVE-2025-64446 is classified as Relative Path Traversal (CWE-23). 

Exploitation Impact and Mitigation

• Successful exploitation enables attackers to create or leverage administrative identities, access the FortiWeb CLI via management interfaces, and execute arbitrary OS commands as root, enabling appliance takeover, security control bypass, persistence, and downstream network compromise. 
• Patch Availability: Fortinet released updates addressing these vulnerabilities as part of coordinated FortiWeb security advisories and subsequent fixed releases 

Attacks in the Wild

• CVE-2025-64446 is a path-traversal vulnerability in the Fortinet FortiWeb Web Application Firewall (WAF) that has been actively exploited in the wild since early October 2025. The vulnerability allows unauthenticated attackers to execute administrative commands and create new admin accounts, leading to full system compromise
• CISA has issued a formal alert and added CVE-2025-64446 to the Known Exploited Vulnerabilities (KEV) Catalog, citing significant risk to enterprise environments. 

Exploitation Mechanism

1. This exploit leverages a relative path traversal vulnerability that leads to an authentication bypass in Fortinet FortiWeb to create a new user with administrative privileges (prof_admin) in the target system.
2. First, the module will check if the target is vulnerable to the authentication bypass by checking the path traversal against a specific endpoint with an empty payload.
3. If the target is vulnerable, the vulnerability will be used again to create a new user with administrative privileges (prof_admin) in the target system using the provided credentials.
4. If no credentials are provided, the module will generate a random one.
5. After successful exploitation, the new administrative credentials are added as an Identity in Core Impact.