Menace actors have been actively exploiting a essential path-traversal vulnerability in Fortinet’s FortiWeb internet utility firewall since early October 2025, permitting unauthenticated attackers to create rogue administrator accounts and acquire full management of uncovered units.
Researchers at watchTowr Labs first detailed the flaw on November 13, 2025, revealing a sequence of path traversal and authentication bypass points that bypass protections to achieve delicate CGI scripts.
Fortinet confirmed the exploitation in its PSIRT advisory (FG-IR-25-910), assigning CVE-2025-64446 with reviews of indiscriminate international scans concentrating on internet-facing home equipment.
The exploit begins with a path traversal within the GUI API endpoint, reminiscent of POST /api/v2.0/cmdb/system/adminpercent3F/../../../../../cgi-bin/fwbcgi, enabling unauthenticated entry to the fwbcgi binary.
This CGI handler performs two checks, cgi_inputcheck() and cgi_auth(), earlier than executing privileged instructions. cgi_inputcheck() passes for any legitimate JSON payload or absent config information, whereas cgi_auth() impersonates customers by way of a Base64-encoded CGIINFO header containing admin credentials like {“username”: “admin”, “profname”: “prof_admin”, “vdom”: “root”, “loginname”: “admin”}.
Vulnerability Exploitation Chain (Supply: WatchTowr)
Attackers provide JSON payloads to create backdoor accounts with prof_admin profiles, full-trust host entry (0.0.0.0/0), and customized passwords, thereby reaching persistence with out passwords or SSH keys. A easy GET request to the traversed path returns HTTP 200 on susceptible methods (patched methods return 403).
The CVSS v3.1 base rating is 9.1 (Vital), pushed by its low complexity, no required privileges, and excessive impression on confidentiality, integrity, and availability.
Affected Variations
FortiWeb VersionVulnerable RangeFixed Version8.08.0.0 – 8.0.18.0.2+7.67.6.0 – 7.6.47.6.5+7.47.4.0 – 7.4.97.4.10+7.27.2.0 – 7.2.117.2.12+7.07.0.0 – 7.0.117.0.12+6.4<= 6.4.3N/A (EOL)6.3<= 6.3.23N/A (EOL)
Indicators embrace suspicious POST requests with python-urllib3 Person-Agent, CGIINFO headers, and payloads embedding admin creation information.
Exploitation peaked after the October disclosures from Defused Cyber, with attackers scanning for susceptible hosts by way of Shodan-like queries.
⚠️ Roughly over the past week, we’re seeing elevated charges of FortiGate vulnerability enumeration, particularly targetting the pathway utilized in CVE-2022-40684 These should not solely hitting Fortinet honeypots but in addition different honeypot varieties, suggesting widespread fingerprinting pic.twitter.com/wiM5pHkIYJ— Defused (@DefusedCyber) December 8, 2025
CISA added CVE-2025-64446 to its Identified Exploited Vulnerabilities catalog, mandating federal remediation by November 21, 2025.
Fortinet silently patched in releases like 8.0.2 earlier than public disclosure, omitting particulars from preliminary notes. The advisory urges disabling HTTP/HTTPS on internet-facing interfaces as a workaround and post-upgrade log critiques for unauthorized admins. No RCE past admin entry confirmed, however compromised WAFs threat lateral motion in Fortinet ecosystems.
watchTowr launched a Detection Artefact Generator on GitHub for YARA/Sigma guidelines concentrating on exploit artifacts.
Defenders ought to hunt for brand spanking new native customers, anomalous fwbcgi logs, and traversal URIs in proxies. Rapid upgrades, community segmentation, and zero-trust for administration interfaces are important amid ongoing campaigns.
Observe us on Google Information, LinkedIn, and X for each day cybersecurity updates. Contact us to function your tales.
