Critical Fortinet FortiWeb Vulnerability Exploited in the Wild

Fortinet FortiWeb vulnerability CVE-2025-64446 FortiWeb exploit path traversal vulnerability CISA KEV
Divyansh Ingle
Divyansh Ingle

Head of Engineering

 
November 18, 2025 3 min read
Critical Fortinet FortiWeb Vulnerability Exploited in the Wild

TL;DR

  • This article details a critical path traversal vulnerability (CVE-2025-64446) affecting Fortinet FortiWeb devices, which is currently being exploited. Attackers can bypass authentication to gain administrative access and create new accounts. The post outlines affected versions, technical details of the exploit, and crucial mitigation steps, including immediate patching and monitoring for indicators of compromise.

Critical Fortinet FortiWeb Vulnerability Under Active Exploitation

Description: A critical vulnerability in Fortinet FortiWeb is being actively exploited, allowing unauthenticated attackers to execute administrative commands. The vulnerability, tracked as CVE-2025-64446, has a severity score of 9.1. It is a relative path traversal vulnerability that allows attackers to perform actions as a privileged user, including adding new administrator accounts.

Vulnerability Details

The relative path traversal vulnerability, identified as CVE-2025-64446, exists in Fortinet FortiWeb. This vulnerability CWE-23: Relative Path Traversal allows an unauthenticated attacker to execute administrative commands via crafted HTTP/HTTPS requests. The Cybersecurity and Infrastructure Security Agency (CISA) has added this flaw to its Known Exploited Vulnerabilities catalog.

Affected versions include:

  • 8.0.0 through 8.0.1
  • 7.6.0 through 7.6.4
  • 7.4.0 through 7.4.9
  • 7.2.0 through 7.2.11
  • 7.0.0 through 7.0.11

Exploitation and Impact

The vulnerability allows attackers to bypass security measures and create new, privileged administrative accounts. According to Rapid7, successful exploitation grants administrator-level access to the FortiWeb Manager panel and websocket command-line interface. watchTowr noted that exploitation activity focuses on adding new administrator accounts as a persistence mechanism.

Silent Patch Concerns

Multiple researchers claim that Fortinet issued a silent patch in late October, weeks before the official guidance was released. Version 8.0.2 was released on October 28, but official guidance and a CVE were not released until November 14. Caitlin Condon, VP of security research at VulnCheck, stated that Fortinet has a history of issuing silent patches, creating confusion and potentially giving adversaries an advantage.

Technical Analysis of the Vulnerability

Qualys provided a technical analysis, detailing two flaws that enable the authentication bypass.

  1. Path Traversal: A path traversal weakness in the FortiWeb API allows attackers to traverse to the underlying fwbcgi CGI executable.

    POST /api/v2.0/cmd/system/admin%3F/../../../../../cgi-bin/fwbcgi HTTP/1.1

  2. Impersonation Mechanism: The fwbcgi binary handles authentication through the cgi_auth() function, which accepts user identity information from the client via a base64-encoded CGIINFO HTTP header. By supplying the correct JSON structure, attackers can impersonate the built-in admin account.

    {
  "username": "admin",
  "profname": "super\\_admin",
  "vdom": "root",
  "loginname": "admin"
}

Mitigation Steps

Fortinet recommends upgrading to the following versions:

  • Upgrade to 8.0.2 or above
  • Upgrade to 7.6.5 or above
  • Upgrade to 7.4.10 or above
  • Upgrade to 7.2.12 or above
  • Upgrade to 7.0.12 or above

CISA advises disabling HTTP or HTTPS for internet-facing interfaces if immediate upgrades are not possible. Security teams should also inspect logs for unauthorized administrator accounts.

Indicators of Compromise (IOCs)

Qualys suggests checking for the following:

  • POST requests to /api/v2.0/cmd/system/admin%3F/../../../../../cgi-bin/fwbcgi from unauthorized IP addresses.
  • Requests containing base64-encoded CGIINFO headers.
  • Unknown administrator accounts created since early October 2025.
  • New local user accounts with prof_admin access profiles.
  • Accounts with trust host ranges set to 0.0.0.0/0 or ::/0.

Rapid7 observed that version 8.0.1 returns a 200 OK response upon successful exploitation, while version 8.0.2 returns a 403 Forbidden response for unsuccessful attempts.

HTTP/1.1 200 OK
{ "results": { "can_view": 0, "q_ref": 0, "can_clone": 1, "q_type": 1, "name": "hax0r", ... } }

HTTP/1.1 403 Forbidden
<html><head><title>403 Forbidden</title></head><body><h1>Forbidden</h1><p>You don't have permission to access this resource.</p></body></html>

Gopher Security's Zero-Trust Solution

As organizations face increasing threats, Gopher Security specializes in AI-powered, post-quantum Zero-Trust cybersecurity architecture. Our platform converges networking and security across devices, apps, and environments—from endpoints and private networks to cloud, remote access, and containers—using peer-to-peer encrypted tunnels and quantum-resistant cryptography. This approach ensures robust protection against vulnerabilities like CVE-2025-64446 by providing continuous authentication and authorization, thus minimizing the attack surface.

Take Action

Ensure your Fortinet FortiWeb versions are up to date and monitor for any signs of compromise. For enhanced protection against emerging threats, explore Gopher Security's Zero-Trust solutions. Visit https://gopher.security to learn more and contact us for a consultation.

Divyansh Ingle
Divyansh Ingle

Head of Engineering

 

AI and cybersecurity expert with 15-year large scale system engineering experience. Great hands-on engineering director.

Related News

CVE-2025-15467: Critical OpenSSL RCE and DoS Vulnerability Overview
OpenSSL vulnerability

CVE-2025-15467: Critical OpenSSL RCE and DoS Vulnerability Overview

Urgent: OpenSSL 3.x vulnerable to CVE-2025-15467, enabling pre-auth RCE. Learn affected versions, impact, and immediate mitigation steps. Protect your systems now!

By Divyansh Ingle March 10, 2026 4 min read
common.read_full_article
SolarWinds Patches Critical Web Help Desk RCE Vulnerabilities Now
SolarWinds Web Help Desk

SolarWinds Patches Critical Web Help Desk RCE Vulnerabilities Now

Critical RCE & Auth Bypass flaws in SolarWinds Web Help Desk are fixed! Don't risk it. Update to v2026.1 now to protect your systems. Learn more.

By Edward Zhou March 9, 2026 4 min read
common.read_full_article
AI vs Human Hackers: Who Prevails in 2026 Pen Testing?
AI hacking

AI vs Human Hackers: Who Prevails in 2026 Pen Testing?

Discover the results of a groundbreaking study comparing AI agents and human hackers in web vulnerability exploitation. See who prevails and what it means for your security. Read now!

By Jim Gagnard March 6, 2026 6 min read
common.read_full_article
Vulnerability Exploits Lead Cyber Intrusions in 2026 Trends
vulnerability exploits

Vulnerability Exploits Lead Cyber Intrusions in 2026 Trends

Exploits are now the top intrusion method, outpacing phishing. Discover why rapid vulnerability patching is critical and how to bolster your defenses. Read more!

By Edward Zhou March 4, 2026 4 min read
common.read_full_article