Resources
People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!
When The Impersonation Function Gets Used To Impersonate Users (Fortinet FortiWeb Auth. Bypass CVE-2025-64446)
Sina Kheirkhah - WatchtowrPosted 3 Months Ago- Fortinet had a 0-day that was identified publicly. This is a report of the timeline of the issue and the exploit that was found for it. It was made up of two security issues in total.
- The first vulnerability is a fairly simple looking path traversal. By using a completely valid API path (
/api/v2.0/cmdb/system/admin/) and then traversing backwards via../it was possible to traverse a different CGI executable on the device. The program likely took the rest of the path after the API endpoint and just used that as the path for the executable. However, the actual vulnerable path wasn't confirmed. - Once the CGI is called, that wasn't intended to be called, there are still two checks to bypass: input validation and auth check before it will process within
cgi_process. The first check just performs basic JSON validation. The second item, labeled ascgi_auth(), is an impersonation function and NOT an authentication check. It extracts the headerCGIINFOto decode a username, profile name, virtual domain and login identifier. With this information, you can impersonate any user in the application, such as the built-in admin. - The real exploit creates a local user with administrative privileges to take control of the device. Overall, an interesting bug that led to the triggering of unintended functionality. Pretty neat!
