Threat actors have been actively exploiting a critical path-traversal vulnerability in Fortinet’s FortiWeb web application firewall since early October 2025, allowing unauthenticated attackers to create rogue administrator accounts and gain full control of exposed devices.
Researchers at watchTowr Labs first detailed the flaw on November 13, 2025, revealing a chain of path traversal and authentication bypass issues that bypass protections to reach sensitive CGI scripts.
Fortinet confirmed the exploitation in its PSIRT advisory (FG-IR-25-910), assigning CVE-2025-64446 with reports of indiscriminate global scans targeting internet-facing appliances.
The exploit begins with a path traversal in the GUI API endpoint, such as POST /api/v2.0/cmdb/system/admin%3F/../../../../../cgi-bin/fwbcgi, enabling unauthenticated access to the fwbcgi binary.
This CGI handler performs two checks, cgi_inputcheck() and cgi_auth(), before executing privileged commands. cgi_inputcheck() passes for any valid JSON payload or absent config files, while cgi_auth() impersonates users via a Base64-encoded CGIINFO header containing admin credentials like {“username”: “admin”, “profname”: “prof_admin”, “vdom”: “root”, “loginname”: “admin”}.
Attackers supply JSON payloads to create backdoor accounts with prof_admin profiles, full-trust host access (0.0.0.0/0), and custom passwords, thereby achieving persistence without passwords or SSH keys. A simple GET request to the traversed path returns HTTP 200 on vulnerable systems (patched systems return 403).
The CVSS v3.1 base score is 9.1 (Critical), driven by its low complexity, no required privileges, and high impact on confidentiality, integrity, and availability.
Affected Versions
| FortiWeb Version | Vulnerable Range | Fixed Version |
|---|---|---|
| 8.0 | 8.0.0 – 8.0.1 | 8.0.2+ |
| 7.6 | 7.6.0 – 7.6.4 | 7.6.5+ |
| 7.4 | 7.4.0 – 7.4.9 | 7.4.10+ |
| 7.2 | 7.2.0 – 7.2.11 | 7.2.12+ |
| 7.0 | 7.0.0 – 7.0.11 | 7.0.12+ |
| 6.4 | <= 6.4.3 | N/A (EOL) |
| 6.3 | <= 6.3.23 | N/A (EOL) |
Indicators include suspicious POST requests with python-urllib3 User-Agent, CGIINFO headers, and payloads embedding admin creation data.
Exploitation peaked after the October disclosures from Defused Cyber, with attackers scanning for vulnerable hosts via Shodan-like queries.
CISA added CVE-2025-64446 to its Known Exploited Vulnerabilities catalog, mandating federal remediation by November 21, 2025.
Fortinet silently patched in releases like 8.0.2 before public disclosure, omitting details from initial notes. The advisory urges disabling HTTP/HTTPS on internet-facing interfaces as a workaround and post-upgrade log reviews for unauthorized admins. No RCE beyond admin access confirmed, but compromised WAFs risk lateral movement in Fortinet ecosystems.
watchTowr released a Detection Artefact Generator on GitHub for YARA/Sigma rules targeting exploit artifacts.
Defenders should hunt for new local users, anomalous fwbcgi logs, and traversal URIs in proxies. Immediate upgrades, network segmentation, and zero-trust for management interfaces are essential amid ongoing campaigns.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
