A proof-of-concept (PoC) exploit tool for CVE-2025-64446 has been publicly released on GitHub. This vulnerability, affecting FortiWeb devices from Fortinet, involves a critical path traversal flaw that has already been observed in real-world attacks, allowing unauthorized access to sensitive CGI endpoints.
Security researchers warn that the tool’s availability could accelerate exploitation attempts against unpatched systems worldwide.
CVE-2025-64446 targets FortiWeb’s web application firewall (WAF) component, enabling attackers to bypass access controls and manipulate user accounts through directory traversal techniques.
Discovered earlier this year, the flaw stems from improper input validation in the CGI handling mechanism, permitting remote code execution in certain configurations.
According to Fortinet’s advisory, affected versions range from 6.3.0 to 7.4.6, with exploitation in the wild reported as early as October 2025 by threat intelligence firms monitoring dark web forums and incident response logs.
The vulnerability’s severity is rated CVSS 9.8, indicating its potential to have a widespread impact on enterprises that rely on FortiWeb for web traffic protection.
The PoC, developed by GitHub user sxyrxyy and shared under the repository “CVE-2025-64446-FortiWeb-CGI-Bypass-PoC,” provides a straightforward Python-based script for testing and exploiting the flaw.
Designed for authorized security testing, the tool requires minimal setup: users simply install dependencies via “pip install -r requirements.txt” before running the exploit script.
For vulnerability verification, the command “python3 exploit.py -t
In exploit mode, “python3 exploit.py -t
Advanced options enhance the tool’s flexibility for penetration testers. Custom parameters allow specifying usernames, passwords, profile names (default: prof_admin), VDOM instances (default: root), and login names (default: admin).
For batch operations, the script supports loading multiple targets from a file like targets.txt, enabling scans across IP ranges such as 192.168.1.100 to 192.168.1.102.
Port customization defaults to 443 for HTTPS, but the “–http” flag switches to unencrypted traffic, and the “–testpoint-name” option sets a default user creation name of “Testpoint”.
Experts emphasize the tool’s dual-edged nature: while invaluable for defensive assessments, its public release amplifies threats to outdated FortiWeb deployments in sectors like finance and healthcare.
Fortinet urges immediate patching to version 7.4.7 or later, alongside network segmentation to mitigate lateral movement risks. The repository’s disclaimer stresses use only on owned or permitted systems, aligning with responsible disclosure norms.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
