Severity
High
Analysis Summary
A critical path-traversal vulnerability in Fortinet’s FortiWeb web application firewall, tracked as CVE-2025-64446, has been actively exploited since early October 2025. The flaw allows unauthenticated attackers to create rogue administrator accounts, gaining full control over exposed devices. Researchers at first disclosed the vulnerability on November 13, 2025, highlighting a chain of path traversal and authentication bypass issues that enable attackers to reach sensitive CGI scripts, bypassing built-in protections. Fortinet confirmed the exploitation in its PSIRT advisory FG-IR-25-910, noting global scanning campaigns targeting internet-facing appliances.
The exploitation begins with a path traversal in the GUI API endpoint, e.g., POST /api/v2.0/cmdb/system/admin%3F/../../../../../cgi-bin/fwbcgi, granting access to the fwbcgi binary. This CGI handler relies on cgi_inputcheck() and cgi_auth() functions, both of which can be bypassed: cgi_inputcheck() accepts any valid JSON payload or missing config files, while cgi_auth() can be tricked using a Base64-encoded CGIINFO header containing admin credentials. Attackers can supply JSON payloads to create backdoor accounts with prof_admin profiles, full-trust host access (0.0.0.0/0), and custom passwords, achieving persistence without requiring SSH keys or legitimate credentials. Vulnerable systems respond with HTTP 200 to simple GET requests, whereas patched systems return 403.
The vulnerability carries a CVSS v3.1 base score of (Critical) due to low exploitation complexity, no required privileges, and severe impacts on confidentiality, integrity, and availability. Affected FortiWeb versions include 8.0.0–8.0.1, 7.6.0–7.6.4, 7.4.0–7.4.9, 7.2.0–7.2.11, 7.0.0–7.0.11, and older EOL versions like 6.4.3 and 6.3.23. Indicators of compromise include suspicious POST requests with python-urllib3 User-Agent, CGIINFO headers, and admin-creation payloads. Exploitation intensified after October disclosures, with attackers scanning for vulnerable hosts using Shodan-like queries.
Defensive measures include immediate upgrades to patched versions, disabling HTTP/HTTPS on internet-facing interfaces, reviewing logs for unauthorized admin accounts, and monitoring traversal URIs in proxies. Network segmentation and zero-trust principles for management interfaces are strongly recommended to mitigate lateral movement risks. The researcher also released a Detection Artefact Generator on GitHub, providing YARA/Sigma rules for hunting exploit artifacts. Organizations are urged to prioritize remediation, particularly as CISA added CVE-2025-64446 to its Known Exploited Vulnerabilities catalog, mandating federal agencies to patch by November 21, 2025.
Impact
- Gain Access
Indicators of Compromise
CVE
CVE-2025-64446
Affected Vendors
Remediation
- Update to fixed versions.
- Disable HTTP/HTTPS access on internet-facing interfaces until patched. Restrict access to internal, trusted networks only.
- Check for new users with prof_admin or suspicious privileges and remove or reset any accounts created during exploitation.
- Review fwbcgi logs for abnormal requests or traversal patterns. Watch for POST requests with python-urllib3 User-Agent or suspicious CGIINFO headers.
- Isolate management interfaces from production networks and limit lateral movement by applying least privilege access controls.
- Use YARA/Sigma rules from watchTowr Labs’ Detection Artefact Generator to detect exploit activity.
- Regularly scan for exposed FortiWeb devices and validate that no vulnerable endpoints remain online.
- Ensure incident response teams know how to detect, respond, and remediate path traversal exploitation attempts.