Active Exploitation of Critical FortiWeb Authentication Bypass (CVE-2025-64446)
November 21st, 2025
Critical
Our Cyber Threat Intelligence Unit is monitoring the active exploitation of CVE-2025-64446, a critical vulnerability in Fortinet FortiWeb Web Application Firewall (WAF) appliances. The vulnerability allows unauthenticated attackers to execute administrative actions on vulnerable FortiWeb instances by exploiting a relative path traversal vulnerability combined with an authentication bypass. Attackers are using this vector to compromise administrative interfaces, deploy webshells, steal configurations, and pivot deeper into network environments. The vulnerability appears to have been silently patched in recent FortiWeb releases before formal advisories were issued, increasing the likelihood that internet-exposed appliances were compromised prior to detection. Given its severity and confirmed in-the-wild exploitation, CVE-2025-64446 poses critical risks to organizations running vulnerable versions of FortiWeb.
Technical Details
CVE ID: CVE-2025-64446.
Severity: Critical.
Vulnerability Type: Relative path traversal (CWE-23) combined with authentication bypass via manipulated CGIINFO header (CWE-288).
Delivery Method/Attack Chain:
Attackers send specially crafted HTTP/HTTPS POST requests to FortiWeb’s management API paths (e.g., /api/v2.0/...).
Requests use relative path traversal to reach ../../../../../cgi-bin/fwbcgi.
A malicious base64-encoded CGIINFO header contains attacker-supplied JSON that impersonates a privileged administrator (username, vdom, profname).
This allows unauthorized execution of administrative commands, such as creating new local admin accounts.
Exploit Availability: Public proof-of-concept code and exploitation tooling have been published by multiple vendors and researchers.
Affected Versions: FortiWeb 8.0.0 – 8.0.1, 7.6.0 – 7.6.4, 7.4.0 – 7.4.9, 7.2.0 – 7.2.11, 7.0.0 – 7.0.11.
Fixed versions: FortiWeb 8.0.2+, 7.6.5+, 7.4.10+, 7.2.12+, 7.0.12+.
Impact
Successful exploitation allows an unauthenticated attacker to gain complete administrative control of the FortiWeb appliance, resulting in:
Creation of rogue administrator accounts for long-term persistence.
Unauthorized modification of security policies, routing rules, or WAF protections.
Disabling or weakening inspection capabilities.
Exposure or tampering of configuration data.
Potential downstream compromise of applications and systems behind the WAF.
Increased likelihood of pre-patch compromise due to silent fixes and prolonged zero-day exploitation activity.
Compromise of a WAF directly affects the availability, integrity, and confidentiality of the environments it protects.
Detection Method
Organizations should immediately review FortiWeb appliances for indicators of unauthorized access:
Administrative Indicators:
Look for new or modified administrator accounts (e.g., unexpected users assigned to prof_admin or super_admin profiles).
Review recent configuration changes, especially to admin profiles or access rules.
Network & Log Indicators:
Inspect HTTP/HTTPS logs for requests containing ../../../../../cgi-bin/fwbcgi or anomalous traversal patterns targeting the management API.
Search for inbound traffic with a CGIINFO header containing base64-encoded JSON impersonating admin credentials (e.g., username=admin, vdom=root, privileged profname).
Monitor for POST requests to /api/v2.0/cmdb/system/admin?/../../../../../cgi-bin/fwbcgi.
Version Auditing:
Immediately inventory appliances running 8.0.1 and below, or 7.x builds prior to the fixed versions.
Assume exposure if systems were internet-facing during the exploitation window (early October to mid-November).
Access Exposure Checks:
Identify any FortiWeb management interfaces reachable from the internet.
Indicators of Compromise
There are No Indicators of Compromise (IOCs) for this Advisory.
Recommendations
Immediate Actions:
Upgrade to fixed FortiWeb releases (8.0.2+, 7.6.5+, 7.4.10+, 7.2.12+, 7.0.12+) without delay.
Restrict management interfaces (HTTPS/HTTP) to trusted internal networks only.
Disable internet-facing management access until patching is complete.
Conduct a full administrative account audit, removing unauthorized users.
Security Hardening:
Enable enhanced logging for access logs, admin actions, and configuration changes.
Apply network segmentation to isolate FortiWeb from untrusted or flat network zones.
Review historical logs back to early October 2025 for signs of compromise.
Treat unpatched appliances as potentially compromised and initiate a forensic review.
Conclusion
CVE-2025-64446 is a critical, actively exploited vulnerability that allows attackers to bypass authentication and gain administrative control of FortiWeb appliances. With evidence of zero-day exploitation preceding Fortinet’s public advisory, detection becomes more difficult. We urge organizations to assume higher risk if systems were exposed during the relevant timeframe. Immediate patching, strict management-plane isolation, and thorough post-exploitation reviews are essential to prevent further exploitation. Ongoing monitoring of vendor advisories and promptly applying updates are vital as attackers increasingly target WAFs and other perimeter security technologies.