Add vulnerability detection module for CVE-2025-32756 (Fortivoice/FortiMail RCE)#1502
Add vulnerability detection module for CVE-2025-32756 (Fortivoice/FortiMail RCE)#1502Raavi29 wants to merge 6 commits intoOWASP:masterfrom
Conversation
|
Note Reviews pausedIt looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the Use the following commands to manage reviews:
Use the checkboxes below for quick actions:
WalkthroughAdded a new vulnerability detection module Changes
Estimated code review effort🎯 3 (Moderate) | ⏱️ ~20 minutes Suggested labels
Suggested reviewers
🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 2
🧹 Nitpick comments (2)
nettacker/modules/vuln/fortivoice_cve_2025_32756.yaml (1)
25-29: Consider addingallow_redirects: falsefor consistency.The
fortiweb_cve_2025_64446.yamlmodule includesallow_redirects: false(line 31), but this module omits it. For detection modules, disabling redirects is typically preferred to avoid following redirects to unrelated pages that could cause false positives.Proposed fix
- method: get timeout: 3 headers: User-Agent: "{user_agent}" + allow_redirects: false ssl: false🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In `@nettacker/modules/vuln/fortivoice_cve_2025_32756.yaml` around lines 25 - 29, The GET request block in fortivoice_cve_2025_32756.yaml is missing allow_redirects and should match the detection pattern used in fortiweb_cve_2025_64446.yaml; update the request stanza (the block containing method: get, timeout: 3, headers: User-Agent, ssl: false) to add allow_redirects: false so the detection doesn't follow redirects and risk false positives.nettacker/modules/vuln/fortiweb_cve_2025_64446.yaml (1)
50-52: Anchor the status code regex to avoid partial matches.The regex
"200"can match substrings like"2001". Use anchors for exact matching.Proposed fix
status_code: - regex: "200" + regex: "^200$" reverse: false🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In `@nettacker/modules/vuln/fortiweb_cve_2025_64446.yaml` around lines 50 - 52, The status_code regex currently uses "200" which can match substrings like "2001"; update the status_code -> regex value to an anchored pattern (e.g. ^200$) so it only matches the exact status code, leaving reverse unchanged; locate the status_code entry in fortiweb_cve_2025_64446.yaml to make this change.
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In `@nettacker/modules/vuln/fortivoice_cve_2025_32756.yaml`:
- Around line 45-53: Update the response matching to require both the HTTP
status and Fortinet-specific content by changing response.condition_type from
"or" to "and"; keep the existing conditions keys (status_code and content) and
their regexes so the module only flags when both the status matches
(^(200|400|405|500)$) and the response body contains
FortiVoice/FortiMail/FortiGate/Fortinet/fortivoice/hostcheck.
- Around line 10-13: The YAML uses the plural key "references:" in the module
info block; change that key to the singular "reference:" so it matches the
Nettacker schema (locate the "info" block containing "references:" and rename
that mapping key to "reference:" without altering the list values or their
order).
---
Nitpick comments:
In `@nettacker/modules/vuln/fortivoice_cve_2025_32756.yaml`:
- Around line 25-29: The GET request block in fortivoice_cve_2025_32756.yaml is
missing allow_redirects and should match the detection pattern used in
fortiweb_cve_2025_64446.yaml; update the request stanza (the block containing
method: get, timeout: 3, headers: User-Agent, ssl: false) to add
allow_redirects: false so the detection doesn't follow redirects and risk false
positives.
In `@nettacker/modules/vuln/fortiweb_cve_2025_64446.yaml`:
- Around line 50-52: The status_code regex currently uses "200" which can match
substrings like "2001"; update the status_code -> regex value to an anchored
pattern (e.g. ^200$) so it only matches the exact status code, leaving reverse
unchanged; locate the status_code entry in fortiweb_cve_2025_64446.yaml to make
this change.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Path: .coderabbit.yaml
Review profile: CHILL
Plan: Pro
Run ID: 012ad179-6a94-4c71-b705-e081f73eb628
📒 Files selected for processing (3)
docs/Modules.mdnettacker/modules/vuln/fortivoice_cve_2025_32756.yamlnettacker/modules/vuln/fortiweb_cve_2025_64446.yaml
|
@Raavi29 I am unable to understand how the host |
Thanks for the review @sankalp-b1401. On the false positive, you're correct. The initial scan was run before fixing condition_type from or to and. With or, any server responding to the endpoint path triggered detection since "hostcheck" appeared in the URL itself. This has been fixed in the latest commit, detection now requires both a matching status code AND Fortinet-specific content in the response body, which scanme.nmap.org would not satisfy. I'll redo the scan with the fixed module and attach updated screenshots. On the rebase, will clean that up shortly. |
Raavi29
force-pushed
the
add-fortivoice-cve-2025-32756
branch
from
ba639ff to
3c21158
Compare
There was a problem hiding this comment.
Pull request overview
This PR introduces a new OWASP Nettacker vulnerability module intended to detect exposure of the Fortinet /remote/hostcheck_validate endpoint associated with CVE-2025-32756, and updates module documentation accordingly. It also includes substantial test-suite changes (new IP tests and a major rewrite/removal of SSL tests).
Changes:
- Add new vuln module
fortivoice_cve_2025_32756_vulnwith HTTP probing logic across common ports/schemes. - Document the new module in
docs/Modules.md. - Add new IP utility tests and replace the existing SSL test suite with a minimal
is_weak_hash_algotest set.
Reviewed changes
Copilot reviewed 4 out of 4 changed files in this pull request and generated 9 comments.
| File | Description |
|---|---|
| tests/test_ip.py | Adds new unit tests for IP parsing/range helpers (but currently has ruff/format issues and scope mismatch with PR description). |
| tests/core/lib/test_ssl.py | Replaces the prior SSL test suite with a small hash-algorithm test set (significant coverage reduction). |
| nettacker/modules/vuln/fortivoice_cve_2025_32756.yaml | Adds the CVE-2025-32756 detection module YAML definition. |
| docs/Modules.md | Adds the new module to the module list (currently breaks alphabetical ordering). |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Updated screenshot @sankalp-b1401
I will update the same in the PR description as well
|
Raavi29
force-pushed
the
add-fortivoice-cve-2025-32756
branch
from
fdb2018 to
431b048
Compare
| # Empty string should return False, not raise an exception | ||
| assert is_weak_hash_algo("") is False | ||
|
|
||
| def get_notAfter(self): |
There was a problem hiding this comment.
@Raavi29 why did you remove all our SSL tests? Also this file does not belong with the module - it is not testing the module functionality
| @@ -0,0 +1,296 @@ | |||
| import pytest | |||
There was a problem hiding this comment.
@Raavi29 this test is not relevant for the module and does not belong here, it should be in a separate PR
@Raavi29 This screenshot does not prove the module works, it shows a port scan of nmap test website which has nothing to do with Fortinet, the module itself is incorrect and does not address the CVE correctly |
@securestep9 Thank you for the review. Could you clarify what the correct detection approach should be for CVE-2025-32756? I want to make sure the module accurately reflects the vulnerability rather than just fingerprinting the endpoint. Happy to rework the detection logic completely based on your guidance. |
- Tests weak algorithms: sha1, md5, md2, md4 - Tests case insensitivity (uppercase input) - Tests safe algorithms: sha256, sha512, sha384 - Tests edge cases: empty string, random string - All 11 tests passing Part of improving test coverage for GSoC 2026
- TestIsSingleIPv4: 12 tests for IPv4 address validation - TestIsSingleIPv6: 10 tests including None bug documentation - TestIsIPv4Range: 8 tests (documents naming swap with is_ipv4_cidr) - TestIsIPv4CIDR: 7 tests (documents naming swap with is_ipv4_range) - TestIsIPv6Range: 6 tests for IPv6 dash-range detection - TestIsIPv6CIDR: 8 tests for IPv6 CIDR detection - TestGenerateIPRange: 7 tests covering both code branches - TestGetIPRange: 4 tests using unittest.mock for HTTP isolation Coverage: nettacker/core/ip.py 0% -> 83% Note: is_ipv4_range/is_ipv4_cidr and is_ipv6_range/is_ipv6_cidr appear to have swapped names - documented in test docstrings
Adds vuln module fortivoice_cve_2025_32756_vuln to detect exposure of /remote/hostcheck_validate endpoint on Fortinet FortiVoice, FortiMail, FortiNDR, FortiRecorder and FortiCamera devices. CVE-2025-32756 is a CVSS 9.8 stack-based buffer overflow allowing unauthenticated RCE via crafted HTTP requests. Actively exploited in the wild and listed on CISA KEV catalog. - Added docs/Modules.md entry - Fixed reference: (singular) per Nettacker schema - Fixed condition_type: and to prevent false positives Closes OWASP#1382
Raavi29
force-pushed
the
add-fortivoice-cve-2025-32756
branch
from
1beed1b to
0a5ccba
Compare
@Raavi29 You need to test the module on an actual vulnerable instance, you can try looking for any possible instances via Shodan (but please make sure you do it ethically). Incase you find instances that can't be used for legitimately then try to create simulation of the vulnerable behaviour and test the module on it. If you are not able to test the module throughly then it would he better to drop this PR as it is unreliable right now. I'd advise you that you try work on vulnerablities that can be tested reliably (look for ones in open-source softwares). Please connect to me on Slack if you want to discuss further. |
@sankalp-b1401 Thank you for the honest guidance — that makes complete sense. |
Proposed change
Summary
Adds a new vuln module
fortivoice_cve_2025_32756_vulnto detect exposure of the/remote/hostcheck_validateendpoint on Fortinet devices affected by CVE-2025-32756.Closes #1382
Vulnerability Details
Detection Approach
The module sends a GET request to
/remote/hostcheck_validateon ports 80, 443,8080, and 8443 over both HTTP and HTTPS. A response containing Fortinet-specific
content fingerprints indicates the endpoint is exposed and the device may be vulnerable.
No exploitation is attempted; detection only.
Note: Detection targets
/remote/hostcheck_validatebased on technical analysis of the actual CVE and Fortinet's advisory, rather than the/admin/api/statusendpoint suggested in the issue, which is not the vulnerable endpoint.Type of change
Checklist
make pre-commitand confirm it didn't generate any warnings/changesmake testand I confirm all tests passed locallydocs/folder