CVE-2025-64446 - Fortinet’s FortiWeb exploitation
A critical vulnerability in Fortinet’s FortiWeb Web Application Firewall, now assigned CVE-2025-64446 (CVSS 9.1), allows unauthenticated attackers to gain full administrator access to the FortiWeb Manager interface and its websocket CLI. The flaw became publicly known on October 6, 2025, after Defused shared a proof-of-concept exploit captured by their honeypots. Metasploit now has support for an auxiliary module admin/http/fortinet_fortiweb_create_admin which can be used to create a new administrative user, and an upcoming exploit module targeting Fortinet FortiWeb that exploits CVE-2025-64446 and CVE-2025-58034 for an authenticated command injection that allows for root OS command execution. For more details see Rapid7’s analysis on CVE-2025-64446
New module content (3)
Fortinet FortiWeb create new local admin
Authors: Defused and sfewer-r7
Type: Auxiliary Pull request: #20698 contributed by sfewer-r7
Path: admin/http/fortinet_fortiweb_create_admin
AttackerKB reference: CVE-2025-64446
Description: Adds a module for the recent FortiWeb 8.0.1 authentication bypass vulnerability allowing an attacker to create a new administrative user. The exploit is based on the PoC published by Defused.
Windows Persistent Service Installer
Authors: Green-m greenm.xxoo@gmail.com and h00die
Type: Exploit Pull request: #20638 contributed by h00die
Path: windows/persistence/service
Description: Updates the Windows service persistence to use the new mixin, adds the ability to run as either Powershell or sc.exe, and uses more libraries.
Windows WSL via Registry Persistence
Authors: Joe Helle and h00die
Type: Exploit
Pull request: #20701 contributed by h00die
Path: windows/persistence/wsl/registry
Description: Adds a new Windows persistence module - the WSL registry module. The module will create registry entries (Run, RunOnce) to run a Linux payload stored in WSL.
Enhancements and features (5)
- #20560 from cdelafuente-r7 - Adds references to MITRE ATT&CK technique T1021 "Remote Services" and its sub-techniques.
- #20638 from h00die - Updates the windows service persistence to use the new mixin, adds the ability to run as either Powershell or sc.exe, and uses more libraries.
- #20689 from zeroSteiner - Add tests for socket channels in Meterpreter and SSH sessions.
- #20699 from sfewer-r7 - Adds the CVE number and further guidance on vulnerable versions for the vulnerability.
- #20707 from bcoles - Updates multiple Linux reboot payloads to note that CAP_SYS_BOOT privileges are required.
Bugs fixed (2)
- #20687 from dwelch-r7 - This updates the auxiliary/scanner/winrm/winrm_login module to catch access denied errors when trying to create a shell session. This is then used to inform the operator that the target account's password is correct but they do not have permissions to start a shell with WinRM.
- #20695 from zeroSteiner - Updates the Java and PHP Meterpreter to send the local address and local port information back to Metasploit when opening TCP or UDP sockets on the remote host.
- #20708 from cdelafuente-r7 - Fixes a bug with msfdb when attempting to execute the program with bundle exec.
- #20711 from bcoles - Fixes description for AppendExit datastore option.
Documentation added (1)
- #20694 from cgranleese-r7 - Adds new documentation on Metasploit's post module support. Additionally adds documentation for the new create_process API that supersedes the legacy cmd_exec API.
You can always find more documentation on our docsite at docs.metasploit.com.
Missing rn-* label on Github (4)
Get it
As always, you can update to the latest Metasploit Framework with msfupdate and you can get more details on the changes since the last blog post from GitHub:
If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest. To install fresh without using git, you can use the open-source-only Nightly Installers or the commercial edition Metasploit Pro
- Metasploit
- Metasploit Weekly Wrapup