A critical authentication bypass vulnerability has been discovered in Fortinet FortiWeb Web Application Firewall (WAF), tracked as CVE-2025-64446 with a CVSS v3.1 score of 9.8 (Critical). This flaw allows unauthenticated attackers to execute administrative commands, including creating admin accounts, and completely compromise a device. This vulnerability affects numerous FortiWeb versions and has been actively exploited in the wild since early October 2025. Due to its severity and active exploitation, CISA has added CVE-2025-64446 to its Known Exploited Vulnerabilities (KEV) catalog, requiring Federal Civilian Executive Branch (FCEB) agencies to apply fixes by November 21, 2025. Fortinet strongly recommends that customers upgrade to patched versions immediately.

Summary

Vulnerability: Unauthenticated authentication bypass and relative path traversal allowing administrative command execution.

CVE: CVE-2025-64446 (Fortinet FG-IR-25-910)

Impact: Unauthenticated attacker can execute administrative commands, create new admin accounts, and fully compromise the FortiWeb device. High confidentiality, integrity, and availability loss.

Affected versions:

FortiWeb 8.0.0 through 8.0.1

FortiWeb 7.6.0 through 7.6.4

FortiWeb 7.4.0 through 7.4.9

FortiWeb 7.2.0 through 7.2.11

FortiWeb 7.0.0 through 7.0.11

Severity: Critical, CVSS v3.1 9.8

Fix: Upgrade to FortiWeb 8.0.2, 7.6.5, 7.4.10, 7.2.12, 7.0.12 or above.

How the attack works

The core of CVE-2025-64446 is a combination of two distinct flaws that allow an attacker to bypass authentication. First, a path traversal vulnerability exists within the FortiWeb API. An attacker can craft a specific HTTP POST request to an API path like /api/v2.0/cmdb/system/admin%3F/../../../../../cgi-bin/fwbcgienabling them to reach and execute the underlying fwbcgi CGI binary.

Second, the fwbcgi binary's cgi_auth() function handles authentication by accepting user identity information directly from the client via a Base64-encoded CGIINFO HTTP header. This function does not perform actual authentication; instead, it decodes and parses JSON attributes (username, profname, vdom, and loginname) from this header. Since the built-in "admin" account has consistent and unchangeable attributes across all FortiWeb devices, an attacker can reliably impersonate this account by supplying the correct JSON structure within the CGIINFO header. Once the cgi_auth() function processes this crafted header, all subsequent actions are executed with full administrative privileges, allowing the attacker to perform any privileged action, including creating new persistent admin accounts with their own credentials.

Exploitation in the wild

This critical vulnerability has been actively exploited in the wild since early October 2025, with cybersecurity researchers observing indiscriminate exploitation. Attackers have been seen sending specific payloads to the /api/v2.0/cmdb/system/admin%3F/../../../../../cgi-bin/fwbcgi endpoint to create new administrator accounts as a persistence mechanism. Examples of admin usernames and passwords created by detected payloads include "Testpoint / AFodIUU3Sszp5" and "trader1 / 3eMIXX43".

Fortinet has acknowledged the active exploitation and has issued a security advisory (FG-IR-25-910). The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has further underscored the urgency by adding CVE-2025-64446 to its Known Exploited Vulnerabilities (KEV) catalog, mandating Federal Civilian Executive Branch (FCEB) agencies to apply fixes by November 21, 2025. This indicates a high likelihood of continued and widespread exploitation by various threat actors.

What makes this so dangerous

This vulnerability presents a severe risk due to the following factors:

• Critical severity and active exploitation: A CVSS score of 9.8 (Critical) combined with confirmed active exploitation in the wild means this is an immediate and urgent threat.
• Unauthenticated remote access: The flaw can be triggered remotely over a network without requiring any username or password, making all vulnerable, internet-facing FortiWeb instances immediately susceptible to attack.
• Complete device compromise: Successful exploitation allows attackers to execute administrative commands and create persistent admin accounts, granting them full control over the FortiWeb device.
• Impact on a security appliance: The vulnerability compromises a Web Application Firewall, a device explicitly designed to protect web applications, turning a critical defense mechanism into an entry point.
• Bypasses Multi-Factor Authentication (MFA): In some scenarios, this type of vulnerability can bypass MFA entirely, as attackers impersonate the device itself or an authenticated session, not a user.

Mitigation steps and best practices

Administrators should prioritize patching immediately to close this easily accessible and actively exploited exposure.

1. Apply patches immediately: Fortinet strongly recommends applying the necessary updates. Upgrade affected systems to FortiWeb versions 8.0.2, 7.6.5, 7.4.10, 7.2.12, 7.0.12 or above.
2. Disable external management interfaces: As a temporary mitigation until patches can be applied, immediately disable HTTP or HTTPS access on any internet-facing management interfaces. CISA notes that this reduces, but does not eliminate, risk.
3. Review configurations and logs for compromise: Organizations running vulnerable versions should immediately check for Indicators of Compromise (IoCs) such as unexpected configuration modifications or the addition of unauthorized administrator accounts.
   
   1. Network-based IoCs: Look for POST requests to /api/v2.0/cmd/system/admin%3F/../../../../../cgi-bin/fwbcgi or similar path traversal patterns from unauthorized IP addresses, and requests containing Base64-encoded CGIINFO headers.
   2. Host-based IoCs: Investigate unknown administrator accounts created since early October 2025, new local user accounts with prof_admin access profiles, or accounts with trust host ranges set to 0.0.0.0/0 or ::/0.‍
4. ‍Continuous detection: Actively monitor your external attack surface for newly emerging, unauthenticated exposures like this one to ensure a rapid response process is in place. This shortens the window of opportunity for sophisticated attackers and helps identify newly exposed or forgotten vulnerable instances.

{{cta-demo}}