By rssfeeds-admin 
This new module is highly critical because it chains together two recently discovered vulnerabilities. When used together, these flaws allow an attacker with no username or password to completely take over a device with “root” (maximum) privileges.
The update was merged into the framework on November 21, 2025, by a contributor sfewer-r7. It provides security researchers and penetration testers with a reliable way to test network defenses against this specific attack chain.
| CVE ID | Type | Impact | Severity |
|---|---|---|---|
| CVE-2025-64446 | Auth Bypass | Allows creation of rogue admin accounts | Critical |
| CVE-2025-58034 | Command Injection | Allows root-level code execution | High |
The Exploit Chain Explained
The new Metasploit module exploits two distinct security flaws. By themselves, they are dangerous, but together they offer a “golden ticket” for attackers.
- The Entry Point (CVE-2025-64446): This is an authentication bypass vulnerability. It allows an outside attacker to force the system to create a new administrator account without needing permission. In the Metasploit logs, the tool automatically generates a random username (e.g.,
isela_fritsch) and a password to register itself as a valid admin. - The Execution (CVE-2025-58034): Once the attacker has the admin account from the first step, they use this second vulnerability. It is an “Operating System Command Injection” flaw. It allows the logged-in admin to run deep system commands that are usually restricted.
The module automates this entire process: it creates a fake admin account, logs in, and immediately runs a command injection to open a reverse shell, as reported by Rapid7 on GitHub.
During the development of this module, researchers hit a roadblock involving the FortiWeb operating system kernel. The developer noted that standard “Fetch” payloads failed to work
Usually, an exploit drops a small file into a temporary folder (like /tmp) and makes it executable using the chmod +x command.
However, the FortiWeb kernel actively blocks this action, showing a “Permission denied” error even to the root user.
To get around this, the Metasploit module avoids dropping binary files. Instead, it uses “Command” payloads scripts written in Bash, Python, or OpenSSL.
These scripts can run directly in the device’s memory without needing special file permissions, bypassing the kernel’s defense mechanisms.
Network defenders should look for unusual account creation logs or unexpected administrative logins. The exploit typically creates a new admin user, performs a task, and then may attempt to hide its tracks.
Security teams should ensure their FortiWeb appliances are updated to the latest firmware version that immediately patches both CVEs.
Find this Story Interesting! Follow us on Google News, LinkedIn and X to Get More Instant Updates
The post Metasploit Framework Updated With Exploit for FortiWeb Zero-Day appeared first on Cyber Security News.
Discover more from RSS Feeds Cloud
Subscribe to get the latest posts sent to your email.