The Metasploit Framework has introduced a new exploit module targeting critical vulnerabilities in Fortinet’s FortiWeb Web Application Firewall (WAF).
This module chains two recently disclosed flaws, CVE-2025-64446 and CVE-2025-58034, to achieve unauthenticated Remote Code Execution (RCE) with root privileges.
The release follows reports of active exploitation in the wild, including “silent patches” and subsequent bypasses that have left many appliances exposed.
The Exploitation Chain
The new module, identified as exploit/linux/http/fortinet_fortiweb_rce, automates a sophisticated attack chain that bypasses authentication mechanisms before executing arbitrary operating system commands.
The attack begins with CVE-2025-64446, a critical authentication bypass vulnerability with a CVSS score of 9.1. As analyzed by researchers at watchTowr, this flaw involves a path traversal issue combined with improper handling of the CGIINFO header.
By manipulating this header and traversing to the fwbcgi executable, an unauthenticated attacker can impersonate the built-in admin user and create a new administrative account without valid credentials.
Once administrative access is established, the module leverages CVE-2025-58034 to compromise the underlying system. This second vulnerability is an authenticated command injection flaw found in the FortiWeb API and CLI, where special elements in OS commands are not properly neutralized.
Rapid7 analysis confirms that this flaw allows an authenticated user to escape the intended shell restrictions and execute commands as the root user. By chaining these two issues, the Metasploit module allows an external attacker to go from zero access to full system control in seconds.
The Metasploit module is designed to be flexible across different attack scenarios. In its default mode, it automatically exploits the authentication bypass (CVE-2025-64446) to provision a random administrator account.
It then authenticates with these new credentials to trigger the command injection. Alternatively, if an attacker already possesses valid credentials, the module can be configured to skip the bypass phase and directly exploit CVE-2025-58034.
Technically, the exploit utilizes a chunked upload mechanism to deliver its payload. As seen in the pull request documentation, the module uploads a “bootstrap payload” in multiple parts (e.g., 4 chunks) before amalgamating and executing them.
This method ensures reliable execution even within the constrained environment of the appliance. Successful exploitation grants a shell with uid=0(root), giving the attacker complete control over the WAF device.
Fortinet has released patches to address these vulnerabilities, and users are strongly advised to upgrade to FortiWeb version 8.0.2 or later immediately.
Because CVE-2025-64446 allows for the silent creation of rogue administrators, simply patching is insufficient for potentially compromised devices. Security teams should audit their user lists for unknown accounts and review logs for requests to /api/v2.0/cmdb/system/admin originating from untrusted IP addresses.
| CVE ID | Vulnerability Type | CVSS | Affected Products (Partial List) |
|---|---|---|---|
| CVE-2025-64446 | Auth Bypass / Path Traversal | 9.1 | FortiWeb 7.4.0-7.4.4, 7.6.0-7.6.4, 8.0.0-8.0.1 |
| CVE-2025-58034 | OS Command Injection | 7.2 | FortiWeb 8.0.0-8.0.1 |
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
