A critical authentication bypass vulnerability in Fortinet’s FortiWeb web application firewalls (WAF), identified as CVE-2025-64446 with a CVSS score of 9.8, is being actively and indiscriminately exploited in the wild. The flaw allows unauthenticated attackers to execute administrative commands and gain complete control of affected devices. Fortinet has released patches to address the issue, but exploitation was observed in the wild for over a month before a CVE was assigned, giving threat actors a significant head start.
Root Cause
The vulnerability is a path traversal issue within the FortiWeb appliance. It stems from a combination of two flaws: a path traversal bug that allows access to the fwbcgi executable and an authentication bypass exploited by manipulating the CGIINFO HTTP header to impersonate an existing administrator. By sending a specially crafted HTTP POST request to a vulnerable endpoint, an attacker can instruct the fwbcgi binary to grant them administrative privileges, as the application fails to properly validate user-supplied input used for file paths.
Proof of Concept (PoC)
Security researchers not only reproduced the vulnerability but also published a detailed analysis and a proof-of-concept (PoC) script, demonstrating the ease of exploitation. The exploit works by sending a carefully crafted HTTP POST request to a specific, non-standard API endpoint: /api/v2.0/cmdb/system/admin%3f/../../../../../cgi-bin/fwbcgi. The path traversal component (/../../../../../) allows the request to break out of the intended directory and access the sensitive fwbcgi CGI binary. The authentication bypass is achieved by including a custom HTTP header named CGIINFO. This header contains a Base64-encoded JSON payload that tells the application to process the request as if it were initiated by a legitimate, authenticated administrator, typically the default “admin” account. When run against a target, it generates a random username and password, crafts the malicious POST request with the forged CGIINFO header, and sends it to the vulnerable endpoint, resulting in the creation of a new administrator account on the device. In-the-wild attacks have been observed creating admin accounts with usernames such as Testpoint, trader1, and test1234point as a persistence mechanism.
Tactics, Techniques, and Procedures (TTPs)
The exploitation of this vulnerability aligns with several tactics and techniques:
| Tactic ID | Tactic Name | Technique ID | Technique Name | Description |
| TA0001 | Initial Access | T1190 | Exploit Public-Facing Application | The vulnerability exists in an internet-facing security appliance, providing attackers with a direct entry point into the network. |
| TA0004 | Privilege Escalation | T1068 | Exploitation for Privilege Escalation | The exploit itself elevates the unauthenticated attacker’s privileges to the highest level (administrator) on the compromised device. |
| TA0003 | Persistence | T1078 | Valid Accounts | By creating new administrator accounts, attackers ensure they retain access to the system even if the original vulnerability is discovered and patched. |
| TA0005 | Defense Evasion | T1556 | Modify Authentication Process | The core of the exploit involves bypassing the WAF’s standard authentication procedures by forging header information to impersonate a trusted user. |
Impact and Exploit Potential
The successful exploitation of this vulnerability has critical consequences, allowing an unauthenticated attacker to completely compromise an affected device. This grants them the ability to bypass all authentication mechanisms and execute arbitrary commands with the highest administrative privileges. Attackers have been observed creating new administrator accounts to establish a persistent foothold, gaining unauthorized access to sensitive data and the broader network. Furthermore, a compromised firewall can be reconfigured to alter or disable security policies, effectively neutralizing the WAF and leaving web applications exposed. The compromised device can also be used as a pivot point for launching further attacks and moving laterally within the internal network. Recognizing the severity, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2025-64446 to its Known Exploited Vulnerabilities (KEV) catalog, compelling federal agencies to apply patches swiftly.
Affected Products
The vulnerability impacts multiple versions of FortiWeb. The following versions are confirmed to be affected:
- FortiWeb 8.0.0 through 8.0.1
- FortiWeb 7.6.0 through 7.6.4
- FortiWeb 7.4.0 through 7.4.9
- FortiWeb 7.2.0 through 7.2.11
- FortiWeb 7.0.0 through 7.0.11
Mitigation and Recommendations
Fortinet has released patches and urges customers to upgrade to the latest versions immediately:
- FortiWeb 8.0.2 or above
- FortiWeb 7.6.5 or above
- FortiWeb 7.4.10 or above
- FortiWeb 7.2.12 or above
- FortiWeb 7.0.12 or above
Given the active exploitation, organizations should also:
- Investigate for Compromise: Thoroughly examine FortiWeb systems for signs of unauthorized activity, including the creation of new or unexpected administrator accounts.
- Monitor Network Traffic: Check logs for suspicious HTTP POST requests to the vulnerable endpoint.
- Restrict Access: As a temporary workaround until patching is complete, disable HTTP/HTTPS access to internet-facing interfaces. However, upgrading remains the only complete solution.
- Implement Network Segmentation: Limit the potential impact of a compromise by segmenting the network and implementing strong access controls.
Instantly Fix Risks with Saner Patch Management
Saner patch management is a continuous, automated, and integrated software that instantly fixes risks exploited in the wild. The software supports major operating systems like Windows, Linux, and macOS, as well as 550+ third-party applications.
It also allows you to set up a safe testing area to test patches before deploying them in a primary production environment. Saner patch management additionally supports a patch rollback feature in case of patch failure or a system malfunction.
Experience the fastest and most accurate patching software here.