Hub Appsec rule

More info

vpatch-CVE-2025-64446 AppSec Rule

« vpatch-CVE-2025-64446 »
v0.1 by crowdsecurity
AppSec rule

Detects FortiWeb authentication bypass via path traversal and CGIINFO header with admin impersonation

Installation

cscli appsec-rules install crowdsecurity/vpatch-CVE-2025-64446

YAML Configuration

1name: crowdsecurity/vpatch-CVE-2025-64446
2description: 'Detects FortiWeb authentication bypass via path traversal and CGIINFO header with admin impersonation'
3rules:
4  - and:
5      - zones:
6          - URI
7        transform:
8          - urldecode
9          - lowercase
10        match:
11          type: contains
12          value: '/api/v2.0/cmdb/system/admin'
13      - zones:
14          - URI
15        transform:
16          - urldecode
17          - lowercase
18        match:
19          type: contains
20          value: '../'
21      - zones:
22          - URI
23        transform:
24          - urldecode
25          - lowercase
26        match:
27          type: contains
28          value: '/cgi-bin/fwbcgi'
29      - zones:
30          - HEADERS
31        variables:
32          - CGIINFO
33        transform:
34          - b64decode
35          - lowercase
36        match:
37          type: contains
38          value: 'admin'
39
40labels:
41  type: exploit
42  service: http
43  confidence: 3
44  spoofable: 0
45  behavior: 'http:exploit'
46  label: 'FortiWeb - Authentication Bypass'
47  classification:
48    - cve.CVE-2025-64446
49    - attack.T1190
50    - cwe.CWE-23

Hub Appsec rule

« vpatch-CVE-2025-64446 »v0.1 by crowdsecurityAppSec rule

« vpatch-CVE-2025-64446 »
v0.1 by crowdsecurity
AppSec rule