#!/usr/bin/env python3 """ CVE-2026-44277 - FortiAuthenticator Unauthenticated RCE Author : Ashraf Zaryouh / @0xBlackash Github : https://www.github.com/0xBlackash/CVE-2026-44277 """ import requests import sys import time from colorama import init, Fore, Style init(autoreset=True) def banner(): print(f"""{Fore.RED} ╔══════════════════════════════════════════════════════════════╗ ║ CVE-2026-44277 - FortiAuthenticator ║ ║ Unauthenticated Remote Code Execution ║ ╚══════════════════════════════════════════════════════════════╝{Style.RESET_ALL}""") def check_target(target): print(f"{Fore.CYAN}[*] Targeting: {target}{Style.RESET_ALL}\n") paths = [ "/api/v1/aaa", "/api/v1/fortiauth", "/api/v1/config", "/api/v1/backup", "/api/v1/import" ] headers = { "User-Agent": "Mozilla/5.0 (CVE-2026-44277 PoC)", "Accept": "application/json" } for path in paths: try: url = target.rstrip("/") + path print(f"[*] Testing → {path}", end=" ") r = requests.get(url, headers=headers, timeout=8, verify=False, allow_redirects=True) if r.status_code in [200, 403, 500] and len(r.text) > 50: print(f"{Fore.GREEN}→ Reachable{Style.RESET_ALL}") print(f"{Fore.RED}[!!] Potential vulnerable endpoint found!{Style.RESET_ALL}") print(f" Status: {r.status_code} | Length: {len(r.text)}") else: print(f"{Fore.YELLOW}→ {r.status_code}{Style.RESET_ALL}") except Exception as e: print(f"{Fore.RED}→ Error{Style.RESET_ALL}") print(f"\n{Fore.YELLOW}[!] Note: This is a detection PoC.{Style.RESET_ALL}") print(f"{Fore.YELLOW} Full RCE requires specific payload not included for safety.{Style.RESET_ALL}") if __name__ == "__main__": banner() if len(sys.argv) < 2: print("Usage: python3 CVE-2026-44277.py ") print("Example: python3 CVE-2026-44277.py http://192.168.1.50") sys.exit(1) target = sys.argv[1] check_target(target) print(f"\n{Fore.RED}[!] Update FortiAuthenticator to 6.5.7 / 6.6.9 / 8.0.3 or newer immediately.{Style.RESET_ALL}")