• Request consultation
  • Newsletter
  • Deutsch Deutsch German de
  • English English English en
  • Italiano Italiano Italian it
  • Nederlands Nederlands Dutch nl
Greenbone
  • Products
    • OPENVAS BASIC
      • OPENVAS BASIC: Order
    • OPENVAS SCAN
    • Upcoming Solutions
      • OPENVAS SECURITY INTELLIGENCE
      • OPENVAS AI
    • Solutions for Your Sector
      • Educational Sector
      • Healthcare Sector
      • Public Sector
    • Technology
      • Feed Comparison
      • Product Comparison
        • OPENVAS vs. Nessus
      • Roadmap & Lifecycle
  • Service & Support
    • Technical Support
    • Self-Learning Courses
    • Documents
  • Events
    • Cybersec Europe 2026
    • Webinars
  • Partners
    • MSSP
  • About Greenbone
    • Careers
    • Contact
  • Blog
    • Know-how
      • Attack Vector Timeline
      • Cyberattacks and Defense
      • Cyber Defense Security
      • Cyber Resilience Act
      • Data Security
      • Digital Operational Resilience Act
      • Exposure Management
      • IT and Information Security
      • NIS2 Directive
      • Open Source Vulnerability Management
      • The Vulnerability Timeline
  • Click to open the search input field Click to open the search input field Search
  • Menu Menu
  • Products
    • OPENVAS BASIC
      • OPENVAS BASIC: Order
    • OPENVAS SCAN
    • Upcoming Solutions
      • OPENVAS SECURITY INTELLIGENCE
      • OPENVAS AI
    • Solutions for your sector
      • Educational Sector
      • Healthcare Sector
      • Public Sector
    • Technology
      • Feed Comparison
      • Product Comparison
        • OPENVAS vs. Nessus
      • Roadmap and Lifecycle
    • Request IT Security
  • Service & Support
    • Technical Support
    • Self-Learning Courses
    • Documents
  • Events
    • Cybersec Europe 2026
    • Webinars
  • Partners
    • MSSP
  • About Greenbone
    • Careers
    • Contact
    • Newsletter
  • Our Blog
    • Know-how
      • Attack Vector Timeline
      • Cyberattacks and Defense
      • Cyber Defense Security
      • Cyber Resilience Act
      • Data Security
      • Digital Operational Resilience Act
      • Exposure Management
      • IT and Information Security
      • NIS2 Directive
      • Open Source Vulnerability Management
      • The Vulnerability Timeline
  • German
  • English
  • Italian
  • Dutch
Joseph Lee

CVE-2025-64446: A Lurking FortiWeb Vulnerability Proves Critical amid Active Exploitation

Blog

Discussion of a new security issue affecting Fortinet’s FortiWeb began circulating online in early October 2025, when cyber deception firm Defused reported capturing a working exploit via honeypot. FortiWeb is Fortinet’s web application firewall (WAF) platform, designed to shield web applications from malicious activity. For over one month, Defused’s revelation mostly lurked in the shadows; no CVE assignment, no acknowledgment from Fortinet. Security researchers recently noted that Fortinet seems to have silently patched the flaw without notifying users beforehand.

The issue finally hit the mainstream on November 13th, when watchTowr Labs posted a full proof-of-concept (PoC) exploit. One day later, the vulnerability was assigned an ID: CVE-2025-64446 (CVSS 9.8, EPSS 97th pctl) is now officially recognized as an actively exploited, critical severity issue in Fortinet FortiWeb. The flaw allows attackers to create rogue admin accounts and execute administrative actions.

Fortinet officially classifies CVE-2025-64446 as a Relative Path Traversal issue [CWE-23]. However, it should also be considered an Authentication Bypass Using an Alternate Path flaw [CWE-288], since URL manipulation allows attackers to access a legacy Common Gateway Interface (CGI) processor, which does not implement proper authentication. Users should consult Fortinet’s official advisory, conduct an immediate assessment to determine their risk, and consider emergency mitigation for this flaw.

A free trial of Greenbone’s OPENVAS BASIC is available for defenders to scan their enterprise IT infrastructure for emerging threats such as CVE-2025-64446 in Fortinet’s FortiWeb appliances.

How the Exploit against CVE-2025-64446 Works

The exploit chain for CVE-2025-64446 combines two core design flaws in FortiWeb:

  • A Relative Path Traversal vulnerability [CWE-23] allows unprotected URL routing between the management interface’s REST API and its CGI processor. This incorrect routing serves as an alternative path to bypass authentication.
  • An Authentication Bypass Using an Alternate Path flaw [CWE-288] in the CGI processor does not perform proper authentication for data provided via a connecting client’s CGIINFO HTTP header.

watchTowr’s Python-based PoC demonstrates how attackers can circumvent FortiWeb’s intended API to  abuse the legacy CGI processor to create unauthorized admin accounts on the device. Here is how the exploit works:

  1. Attackers can communicate with FortiWeb management port over HTTPS (port 443) with certificate validation disabled to avoid hang-ups with self-signed, outdated, or otherwise invalid certificates.
  2. Unpatched FortiWeb appliances do not properly sanitize the URI before applying authorization rules. Unauthenticated users can achieve path traversal by starting their request URL with https://api/v2.0/… while also traversing via ../../../../../ to cgi-bin/fwbcgi.
  3. Source code analysis revealed that FortiWeb’s legacy CGI backend includes a function named cgi_auth(), that blindly trusts any authorization claims provided in the CGIINFO header if the username matches any existing user; including the built-in admin user. This means an unauthenticated attacker can spoof the admin user to gain elevated permissions.
  4. FortiWeb’s CGI processor then processes the rest of the request body with full administrative permissions.
  5. The attacker can submit a malicious JSON object that instructs the system to create a new administrator account with an arbitrary, attacker-controlled username and password to take full control of the device.

How to Mitigate the Emerging Fortinet Vulnerability

FortiWeb users should consult Fortinet’s advisory, conduct an immediate assessment to determine their risk, and consider emergency mitigation for this flaw. The vendor also officially recommends disabling HTTP and HTTPS for internet-facing interfaces until an upgrade can be performed. If a FortiWeb HTTP/HTTPS Management interface is only accessible from internal network endpoints, the risk is reduced.

Organizations running unpatched versions of FortiWeb should consider this a critical priority issue. The following versions of FortiWeb are affected:

  • FortiWeb 8.0.0 through 8.0.1
  • FortiWeb 7.6.0 through 7.6.4
  • FortiWeb 7.4.0 through 7.4.9
  • FortiWeb 7.2.0 through 7.2.11
  • FortiWeb 7.0.0 through 7.0.11
  • FortiWeb 6.4 through 6.4.3 (disclosed by watchTowr Labs [1])
  • FortiWeb 6.3 through 6.3.23 (disclosed by watchTowr Labs)

It’s important to note that Fortinet’s list of affected products is less comprehensive than the one provided by third-party security researchers. The EU’s Cyber Resilience Act (CRA) comes into effect in late 2026, bringing a new measure of legal accountability to software vendors that issue untimely or inaccurate security information to their users. The CRA will require software vendors to report known vulnerabilities and known exploits to ENISA within 24 hours.

Greenbone’s OPENVAS ENTERPRISE FEED Has Got You Covered

Greenbone’s vulnerability test development team assessed this emerging FortiWeb flaw before it was published as a CVE. A version check [1] and active check [2] are now available in the  OPENVAS ENTERPRISE FEED. These detection tests include both version-based checks and active checks that interact with appliances over HTTP to detect vulnerability to the flaw. This dual-layer approach ensures that organizations can reliably identify vulnerable FortiWeb instances.

As new details emerge, Greenbone will refine and expand coverage to ensure that customers can identify affected instances. A free trial of Greenbone’s OPENVAS BASIC is available for defenders to scan their enterprise IT infrastructure for emerging threats such as CVE-2025-64446 in Fortinet’s FortiWeb appliances.

Contact Test Now Buy Here Back to Overview

Joseph Lee
Joseph Lee

Joseph has had a varied and passionate background in IT and cyber security since the late 1980s. His early technical experience included working on an IBM PS/2, assembling PCs and programming in C++.

He also pursued academic studies in computer and systems engineering, anthropology and an MBA in technology forecasting.

Joseph has worked in data analytics, software development and, in particular, enterprise IT security. He specialises in vulnerability management, encryption and penetration testing.

LinkedIn

17. November 2025/by Joseph Lee
Share this entry
  • Share on LinkedIn
  • Share by Mail
https://www.greenbone.net/wp-content/uploads/greenbone-logo-2025.png 0 0 Joseph Lee https://www.greenbone.net/wp-content/uploads/greenbone-logo-2025.png Joseph Lee2025-11-17 13:28:552025-11-18 13:13:04CVE-2025-64446: A Lurking FortiWeb Vulnerability Proves Critical amid Active Exploitation

Search

Search Search

Archive

  • 2026
  • 2025

Newsletter

Subscribe Now

OPENVAS BASIC

Our entry-level enterprise product

Test 14 Days Free of Charge

Products & Solutions

  • OPENVAS PRODUCTS
  • OPENVAS SECURITY INTELLIGENCE
  • OPENVAS SCAN
  • OPENVAS BASIC
  • OPENVAS FREE
  • OPENVAS AI
ISO9001-EN

Service & Support

  • Technical Support
  • FAQ
  • Documents
  • Warranty
  • Open Source Vulnerability Management
  • Cyber Resilience Act
ISO27001-EN

About us

  • About Greenbone
  • Partners
  • MSSP
  • License information
  • Privacy Statement
  • Terms & Conditions
ISO14001-EN

Contact with us

  • Contact
  • Newsletter
  • Media Contact
  • Careers
  • Security Response
  • Imprint
  • Grounding Page

Community

  • Community Portal
  • Community Forum
© Copyright - Greenbone AG 2020-2026
  • Link to LinkedIn
Link to: September 2025 Threat Report: New Exploits, Active Campaigns, and Critical CVEs Link to: September 2025 Threat Report: New Exploits, Active Campaigns, and Critical CVEs September 2025 Threat Report: New Exploits, Active Campaigns, and Critical ... Link to: Greenbone Adds New Compliance Profiles for Huawei EulerOS Link to: Greenbone Adds New Compliance Profiles for Huawei EulerOS Greenbone Adds New Compliance Profiles for Huawei EulerOS
Scroll to top Scroll to top Scroll to top
Contact
Request IT Security Contact Us Subscribe to Newsletter Follow on LinkedIn