CVE-2025-64446 (#1583)

* CVE-2025-64446

Author: buixor

.appsec-tests/CVE-2025-64446/CVE-2025-64446.yaml

@@ -0,0 +1,25 @@
+id: CVE-2025-64446
+info:
+  name: CVE-2025-64446
+  author: crowdsec
+  severity: info
+  description: CVE-2025-64446 testing
+  tags: appsec-testing
+http:
+#this is a dummy request, edit the request(s) to match your needs
+  - raw:
+    - |
+      POST /api/v2.0/cmdb/system/admin%3f/../../../../../cgi-bin/fwbcgi HTTP/1.1
+      Host: 127.0.0.1:4242
+      Accept-Encoding: identity
+      Content-Length: 824
+      CGIINFO: eyJ1c2VybmFtZSI6ICJhZG1pbiIsICJwcm9mbmFtZSI6ICJwcm9mX2FkbWluIiwgInZkb20iOiAicm9vdCIsICJsb2dpbm5hbWUiOiAiYWRtaW4ifQ==
+      Content-Type: application/x-www-form-urlencoded
+
+      {"data": {"q_type": 1, "name": "c41e0b38", "access-profile": "prof_admin", "access-profile_val": "0", "trusthostv4": "0.0.0.0/0", "trusthostv6": "::/0", "last-name": "", "first-name": "", "email-address": "", "phone-number": "", "mobile-number": "", "hidden": 0, "comments": "", "sz_dashboard": -1, "type": "local-user", "type_val": "0", "admin-usergrp_val": "0", "wildcard_val": "0", "accprofile-override_val": "0", "sshkey": "", "passwd-set-time": 0, "history-password-pos": 0, "history-password0": "", "history-password1": "", "history-password2": "", "history-password3": "", "history-password4": "", "history-password5": "", "history-password6": "", "history-password7": "", "history-password8": "", "history-password9": "", "force-password-change": "disable", "force-password-change_val": "0", "password": "c41e0b38"}}
+    cookie-reuse: true
+#test will fail because we won't match http status 
+    matchers:
+    - type: status
+      status:
+       - 403

.appsec-tests/CVE-2025-64446/config.yaml

@@ -0,0 +1,4 @@
+appsec-rules:
+    - ./appsec-rules/crowdsecurity/vpatch-CVE-2025-64446.yaml
+    - ./appsec-rules/crowdsecurity/base-config.yaml
+nuclei_template: CVE-2025-64446.yaml

appsec-rules/crowdsecurity/vpatch-CVE-2025-64446.yaml

@@ -0,0 +1,50 @@
+name: crowdsecurity/vpatch-CVE-2025-64446
+description: 'Detects FortiWeb authentication bypass via path traversal and CGIINFO header with admin impersonation'
+rules:
+  - and:
+      - zones:
+          - URI
+        transform:
+          - urldecode
+          - lowercase
+        match:
+          type: contains
+          value: '/api/v2.0/cmdb/system/admin'
+      - zones:
+          - URI
+        transform:
+          - urldecode
+          - lowercase
+        match:
+          type: contains
+          value: '../'
+      - zones:
+          - URI
+        transform:
+          - urldecode
+          - lowercase
+        match:
+          type: contains
+          value: '/cgi-bin/fwbcgi'
+      - zones:
+          - HEADERS
+        variables:
+          - CGIINFO
+        transform:
+          - b64decode
+          - lowercase
+        match:
+          type: contains
+          value: 'admin'
+
+labels:
+  type: exploit
+  service: http
+  confidence: 3
+  spoofable: 0
+  behavior: 'http:exploit'
+  label: 'FortiWeb - Authentication Bypass'
+  classification:
+    - cve.CVE-2025-64446
+    - attack.T1190
+    - cwe.CWE-23

collections/crowdsecurity/appsec-virtual-patching.yaml

@@ -136,6 +136,7 @@ appsec-rules:
 - crowdsecurity/vpatch-CVE-2019-7276
 - crowdsecurity/vpatch-CVE-2020-8656
 - crowdsecurity/vpatch-CVE-2025-27222
+- crowdsecurity/vpatch-CVE-2025-64446
 author: crowdsecurity
 contexts:
 - crowdsecurity/appsec_base