Fortinet FortiWeb CVE-2025-64446 Exploit: Critical Auth Bypass & Fixes

Observation Summary

Critical authentication bypass vulnerability in Fortinet FortiWeb WAF (CVE-2025-64446) is actively exploited by threat actors. The flaw allows unauthenticated attackers to gain administrative access through a crafted API request leveraging path traversal.

This vulnerability affects multiple FortiWeb versions and has been added to CISA’s Known Exploited Vulnerabilities catalog, signaling urgent remediation.

Understanding CVE-2025-64446

CVE-2025-64446 is a critical authentication bypass in FortiWeb’s administrative API. Attackers exploit improper validation in a backend CGI handler, enabling them to spoof admin-level identity information and gain unrestricted access.

This vulnerability has been added to CISA’s Known Exploited Vulnerabilities (KEV) catalog, indicating verified exploitation across multiple sectors.

What’s Happening?

• Vulnerability: CVE-2025-64446 (CVSS 9.8, High Severity)
• Impact: Full admin takeover with zero authentication
• Exploit Status: Public PoCs available, active exploitation confirmed
• Action Required: Patch immediately or restrict management access

How the Exploit Works (Attack Chain Breakdown)

1. Target Endpoint: /api/v2.0/cmdb/system/admin
2. Path Traversal Injection: Appends ?../../../../../cgi-bin/fwbcgi to redirect to backend CGI handler.
3. Spoofed CGI Environment: Sends HTTP_CGIINFO header with Base64-encoded JSON impersonating admin. {“user”:”admin”,”privilege”:”super_admin”}
4. Authentication Bypass: FortiWeb trusts spoofed data, granting full admin privileges.
5. Post-Exploitation: Attackers create accounts, modify configs, deploy webshells, and pivot laterally.

Affected FortiWeb Versions:

• 0.0–8.0.1 (fixed in 8.0.2)
• 6.0–7.6.4 (fixed in 7.6.5)
• 4.0–7.4.9 (fixed in 7.4.10)
• 2.0–7.2.11 (fixed in 7.2.12)
• 0.0–7.0.11 (fixed in 7.0.12)

Exploit Availability:

• Public PoC scripts on GitHub and Metasploit.
• Honeypot evidence confirms active exploitation since October 2025.

Exploit Evidence:

• Active exploitation confirmed by CISA, Qualys, Integrity360.
• Public PoC scripts are available on GitHub and Metasploit.

Indicators of Compromise (IOCs):

• HTTP requests containing /fwbcgi
• Creation of unauthorized admin accounts
• Unusual traffic from known exploit IP ranges
• Modified configuration files and disabled logging

Risk & Impact

Successful exploitation grants attackers unrestricted administrative control over FortiWeb appliances. This can lead to:

• Technical Risks: Configuration tampering, payload injection, disabling security features, lateral movement.
• Business Risks: Data breaches, service disruption, compliance violations, reputational damage.

Given its active exploitation and critical severity, organizations face immediate operational and security threats if unpatched.

Recommendations

Immediate Actions

• Upgrade FortiWeb to patched versions: 8.0 → 8.0.2+, 7.6 → 7.6.5+, 7.4 → 7.4.10+, 7.2 → 7.2.12+, 7.0 → 7.0.12+
• Disable HTTP/HTTPS management on public interfaces if upgrade is delayed.

Access Control

• Restrict management access to trusted internal networks only.

Monitoring & Detection

• Look for suspicious API calls with /fwbcgi
• Monitor for new admin accounts and unusual configuration changes
• Use vulnerability scanners (Qualys QID VULNSIGS-2.6.468-4+)

Long-Term Measures

• Implement strict patch management policies.
• Harden WAF configurations and enable detailed logging.
• Conduct regular regression scans for similar flaws.