CVE-2025-64446: A Lurking FortiWeb Vulnerability Proves Critical amid Active Exploitation
Discussion of a new security issue affecting Fortinet’s FortiWeb began circulating online in early October 2025, when cyber deception firm Defused reported capturing a working exploit via honeypot. FortiWeb is Fortinet’s web application firewall (WAF) platform, designed to shield web applications from malicious activity. For over one month, Defused’s revelation mostly lurked in the shadows; no CVE assignment, no acknowledgment from Fortinet. Security researchers recently noted that Fortinet seems to have silently patched the flaw without notifying users beforehand.
The issue finally hit the mainstream on November 13th, when WatchTowr Labs posted a full proof-of-concept (PoC) exploit. One day later, the vulnerability was assigned an ID: CVE-2025-64446 (CVSS 9.8) is now officially recognized as an actively exploited, critical severity issue in Fortinet FortiWeb. The flaw allows attackers to create rogue admin accounts and execute administrative actions.
Fortinet officially classifies CVE-2025-64446 as a Relative Path Traversal issue [CWE-23]. However, it should also be considered an Authentication Bypass Using an Alternate Path flaw [CWE-288], since URL manipulation allows attackers to access a legacy Common Gateway Interface (CGI) processor, which does not implement proper authentication. Users should consult Fortinet’s official advisory, conduct an immediate assessment to determine their risk, and consider emergency mitigation for this flaw.
A free trial of Greenbone’s OPENVAS BASIC is available for defenders to scan their enterprise IT infrastructure for emerging threats such as CVE-2025-64446 in Fortinet’s FortiWeb appliances.
How the Exploit against CVE-2025-64446 Works
The exploit chain for CVE-2025-64446 combines two core design flaws in FortiWeb:
- A Relative Path Traversal vulnerability [CWE-23] allows unprotected URL routing between the management interface’s REST API and its CGI processor. This incorrect routing serves as an alternative path to bypass authentication.
- An Authentication Bypass Using an Alternate Path flaw [CWE-288] in the CGI processor does not perform proper authentication for data provided via a connecting client’s CGIINFO HTTP header.
WatchTowr’s Python-based PoC demonstrates how attackers can circumvent FortiWeb’s intended API to abuse the legacy CGI processor to create unauthorized admin accounts on the device. Here is how the exploit works:
- Attackers can communicate with FortiWeb management port over HTTPS (port 443) with certificate validation disabled to avoid hang-ups with self-signed, outdated, or otherwise invalid certificates.
- Unpatched FortiWeb appliances do not properly sanitize the URI before applying authorization rules. Unauthenticated users can achieve path traversal by starting their request URL with https://api/v2.0/… while also traversing via ../../../../../ to cgi-bin/fwbcgi.
- Source code analysis revealed that FortiWeb’s legacy CGI backend includes a function named cgi_auth(), that blindly trusts any authorization claims provided in the CGIINFO header if the username matches any existing user; including the built-in admin user. This means an unauthenticated attacker can spoof the admin user to gain elevated permissions.
- FortiWeb’s CGI processor then processes the rest of the request body with full administrative permissions.
- The attacker can submit a malicious JSON object that instructs the system to create a new administrator account with an arbitrary, attacker-controlled username and password to take full control of the device.
How to Mitigate the Emerging Fortinet Vulnerability
FortiWeb users should consult Fortinet’s advisory, conduct an immediate assessment to determine their risk, and consider emergency mitigation for this flaw. The vendor also officially recommends disabling HTTP and HTTPS for internet-facing interfaces until an upgrade can be performed. If a FortiWeb HTTP/HTTPS Management interface is only accessible from internal network endpoints, the risk is reduced.
Organizations running unpatched versions of FortiWeb should consider this a critical priority issue. The following versions of FortiWeb are affected:
- FortiWeb 8.0.0 through 8.0.1
- FortiWeb 7.6.0 through 7.6.4
- FortiWeb 7.4.0 through 7.4.9
- FortiWeb 7.2.0 through 7.2.11
- FortiWeb 7.0.0 through 7.0.11
Greenbone’s OPENVAS ENTERPRISE FEED Has Got You Covered
Greenbone’s vulnerability test development team assessed this emerging FortiWeb flaw before it was published as a CVE, and detection modules are now available in the OPENVAS ENTERPRISE FEED. These detection tests include both version-based checks and active checks that interact with appliances over HTTP to detect vulnerability to the flaw. This dual-layer approach ensures that organizations can reliably identify vulnerable FortiWeb instances.
As new details emerge, Greenbone will refine and expand coverage to ensure that customers can identify affected instances. A free trial of Greenbone’s OPENVAS BASIC is available for defenders to scan their enterprise IT infrastructure for emerging threats such as CVE-2025-64446 in Fortinet’s FortiWeb appliances.
Joseph has had a varied and passionate background in IT and cyber security since the late 1980s. His early technical experience included working on an IBM PS/2, assembling PCs and programming in C++.
He also pursued academic studies in computer and systems engineering, anthropology and an MBA in technology forecasting.
Joseph has worked in data analytics, software development and, in particular, enterprise IT security. He specialises in vulnerability management, encryption and penetration testing.
