Critical Fortinet FortiWeb Vulnerability Exploited in the Wild

Fortinet FortiWeb vulnerability CVE-2025-64446 FortiWeb exploit path traversal vulnerability CISA KEV
Divyansh Ingle
Divyansh Ingle

Head of Engineering

 
November 18, 2025 3 min read
Critical Fortinet FortiWeb Vulnerability Exploited in the Wild

TL;DR

This article details a critical path traversal vulnerability (CVE-2025-64446) affecting Fortinet FortiWeb devices, which is currently being exploited. Attackers can bypass authentication to gain administrative access and create new accounts. The post outlines affected versions, technical details of the exploit, and crucial mitigation steps, including immediate patching and monitoring for indicators of compromise.

Critical Fortinet FortiWeb Vulnerability Under Active Exploitation

Description:
A critical vulnerability in Fortinet FortiWeb is being actively exploited, allowing unauthenticated attackers to execute administrative commands. The vulnerability, tracked as CVE-2025-64446, has a severity score of 9.1. It is a relative path traversal vulnerability that allows attackers to perform actions as a privileged user, including adding new administrator accounts.

Vulnerability Details

The relative path traversal vulnerability, identified as CVE-2025-64446, exists in Fortinet FortiWeb. This vulnerability CWE-23: Relative Path Traversal allows an unauthenticated attacker to execute administrative commands via crafted HTTP/HTTPS requests. The Cybersecurity and Infrastructure Security Agency (CISA) has added this flaw to its Known Exploited Vulnerabilities catalog.

Affected versions include:

  • 8.0.0 through 8.0.1
  • 7.6.0 through 7.6.4
  • 7.4.0 through 7.4.9
  • 7.2.0 through 7.2.11
  • 7.0.0 through 7.0.11

Exploitation and Impact

The vulnerability allows attackers to bypass security measures and create new, privileged administrative accounts. According to Rapid7, successful exploitation grants administrator-level access to the FortiWeb Manager panel and websocket command-line interface. watchTowr noted that exploitation activity focuses on adding new administrator accounts as a persistence mechanism.

Silent Patch Concerns

Multiple researchers claim that Fortinet issued a silent patch in late October, weeks before the official guidance was released. Version 8.0.2 was released on October 28, but official guidance and a CVE were not released until November 14. Caitlin Condon, VP of security research at VulnCheck, stated that Fortinet has a history of issuing silent patches, creating confusion and potentially giving adversaries an advantage.

Technical Analysis of the Vulnerability

Qualys provided a technical analysis, detailing two flaws that enable the authentication bypass.

  1. Path Traversal: A path traversal weakness in the FortiWeb API allows attackers to traverse to the underlying fwbcgi CGI executable.

    POST /api/v2.0/cmd/system/admin%3F/../../../../../cgi-bin/fwbcgi HTTP/1.1

  2. Impersonation Mechanism: The fwbcgi binary handles authentication through the cgi_auth() function, which accepts user identity information from the client via a base64-encoded CGIINFO HTTP header. By supplying the correct JSON structure, attackers can impersonate the built-in admin account.

    {
  "username": "admin",
  "profname": "super\\_admin",
  "vdom": "root",
  "loginname": "admin"
}

Mitigation Steps

Fortinet recommends upgrading to the following versions:

  • Upgrade to 8.0.2 or above
  • Upgrade to 7.6.5 or above
  • Upgrade to 7.4.10 or above
  • Upgrade to 7.2.12 or above
  • Upgrade to 7.0.12 or above

CISA advises disabling HTTP or HTTPS for internet-facing interfaces if immediate upgrades are not possible. Security teams should also inspect logs for unauthorized administrator accounts.

Indicators of Compromise (IOCs)

Qualys suggests checking for the following:

  • POST requests to /api/v2.0/cmd/system/admin%3F/../../../../../cgi-bin/fwbcgi from unauthorized IP addresses.
  • Requests containing base64-encoded CGIINFO headers.
  • Unknown administrator accounts created since early October 2025.
  • New local user accounts with prof_admin access profiles.
  • Accounts with trust host ranges set to 0.0.0.0/0 or ::/0.

Rapid7 observed that version 8.0.1 returns a 200 OK response upon successful exploitation, while version 8.0.2 returns a 403 Forbidden response for unsuccessful attempts.

HTTP/1.1 200 OK
{ "results": { "can_view": 0, "q_ref": 0, "can_clone": 1, "q_type": 1, "name": "hax0r", ... } }

HTTP/1.1 403 Forbidden
<html><head><title>403 Forbidden</title></head><body><h1>Forbidden</h1><p>You don't have permission to access this resource.</p></body></html>

Gopher Security's Zero-Trust Solution

As organizations face increasing threats, Gopher Security specializes in AI-powered, post-quantum Zero-Trust cybersecurity architecture. Our platform converges networking and security across devices, apps, and environments—from endpoints and private networks to cloud, remote access, and containers—using peer-to-peer encrypted tunnels and quantum-resistant cryptography. This approach ensures robust protection against vulnerabilities like CVE-2025-64446 by providing continuous authentication and authorization, thus minimizing the attack surface.

Take Action

Ensure your Fortinet FortiWeb versions are up to date and monitor for any signs of compromise. For enhanced protection against emerging threats, explore Gopher Security's Zero-Trust solutions. Visit https://gopher.security to learn more and contact us for a consultation.

Divyansh Ingle
Divyansh Ingle

Head of Engineering

 

AI and cybersecurity expert with 15-year large scale system engineering experience. Great hands-on engineering director.

Related News

Managing Non-Human Identities: A New Frontier in Cybersecurity
non-human identities

Managing Non-Human Identities: A New Frontier in Cybersecurity

Discover the growing risks of non-human identities (NHIs) like bots and AI agents in cybersecurity. Learn how to gain visibility, enforce 'just enough' access, and protect your enterprise. Read more!

By Alan V Gutnov November 17, 2025 3 min read
Read full article
APT Group Exploits Cisco and Citrix Zero-Days for Webshells
Cisco ISE zero-day

APT Group Exploits Cisco and Citrix Zero-Days for Webshells

Discover how sophisticated attackers exploit Cisco ISE & Citrix zero-days to deploy webshells. Learn critical security implications & defense strategies. Protect your network now!

By Jim Gagnard November 14, 2025 4 min read
Read full article
CISA Warns: Patch Samsung 0-Day RCE Flaw to Prevent Attacks
Samsung vulnerability

CISA Warns: Patch Samsung 0-Day RCE Flaw to Prevent Attacks

CISA warns of critical zero-day vulnerability in Samsung devices (CVE-2025-21042). Learn how it's exploited and how to protect your data. Patch now!

By Edward Zhou November 12, 2025 2 min read
Read full article
Critical runC Vulnerabilities Allow Container Escape in Docker, Kubernetes
runc vulnerabilities

Critical runC Vulnerabilities Allow Container Escape in Docker, Kubernetes

Urgent! Three severe runC flaws allow container escape in Docker & Kubernetes. Update now to protect your systems from root access. Learn more!

By Alan V Gutnov November 11, 2025 4 min read
Read full article