Rapid7’s Metasploit team has released a new exploit module targeting critical zero-day vulnerabilities in Fortinet’s FortiWeb web application firewall, chaining two security flaws to achieve unauthenticated remote code execution with root privileges.
| CVE ID | Vulnerability Type | Affected Product | Impact |
|---|---|---|---|
| CVE-2025-64446 | Authentication Bypass | Fortinet FortiWeb | Administrative account creation, privilege escalation |
| CVE-2025-58034 | Command Injection | Fortinet FortiWeb | Remote Code Execution with root privileges |
Dual Vulnerability Chain Enables Complete Compromise
The exploit combines CVE-2025-64446, an authentication bypass vulnerability, with CVE-2025-58034, an authenticated command injection flaw, to deliver a devastating attack chain that grants attackers complete control over vulnerable FortiWeb appliances.
CVE-2025-64446 exploits a path traversal weakness that allows unauthenticated attackers to bypass authentication mechanisms and create administrative accounts on target systems.
The vulnerability leverages a specially crafted HTTP request with a malicious CGIINFO header to impersonate the built-in admin account, granting full administrative privileges without requiring valid credentials.
The authentication bypass works by sending a Base64-encoded JSON object containing admin credentials through the CGIINFO header, effectively allowing attackers to impersonate any user on the system.
The vulnerability affects the fwbcgi binary, which fails to properly validate authentication before processing administrative commands.
Once administrative access is established through CVE-2025-64446, attackers can leverage CVE-2025-58034 to execute arbitrary operating system commands with root privileges.
Rapid7’s analysis on AttackerKB details how this authenticated command injection vulnerability enables complete system compromise.
The Metasploit module automates the entire attack chain, first creating a new admin account via the authentication bypass, then exploiting the command injection to deploy payloads and establish persistent access.
Testing confirms the exploit successfully achieves root-level command execution on vulnerable systems, as demonstrated by the module returning “uid=0(root) gid=0(root)” when executed.
The vulnerabilities affect numerous FortiWeb versions across multiple branches.
The vulnerable versions include FortiWeb 8.0 before 8.0.2, 7.6 before 7.6.5, 7.4 before 7.4.10, 7.2 before 7.2.12, 7.0 before 7.0.12, and versions 6.4.3 and earlier, as well as 6.3.23 and earlier.
Evidence suggests these vulnerabilities have been exploited in the wild before patches were released.
Defused security researchers initially warned of active exploitation targeting Fortinet devices, with attackers using the vulnerability chain to create persistent administrative backdoors on compromised appliances.
Organizations can quickly test whether their FortiWeb installations are vulnerable by sending a specially crafted GET request to the API endpoint.
Systems returning HTTP 200 responses are vulnerable, while patched systems will return HTTP 403 errors.
WatchTower Labs has released a detection artifact generator on GitHub to help defenders identify vulnerable hosts within their networks.
The Metasploit module successfully delivers various Unix-based payloads, including reverse bash shells, OpenSSL connections, and Python reverse shells.
However, Linux fetch payloads encounter issues on affected systems because kernel-level protections prevent dropped binaries from being marked executable.
Despite these limitations, the exploit demonstrates reliable performance in achieving root access through command-based payloads.
Fortinet has released patches addressing both vulnerabilities in FortiWeb version 8.0.2 and corresponding fixes for earlier branches.
Organizations running affected versions should immediately upgrade to patched releases and review system logs for indicators of compromise, including suspicious admin account creation and unusual API requests targeting the fwbcgi binary.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and set GBH as a Preferred Source in Google.