Summary

A critical authentication bypass vulnerability in Fortinet FortiWeb, now identified as CVE-2025-64446, is being actively exploited in the wild, allowing unauthenticated attackers to gain full administrative control over vulnerable devices by sending specially crafted HTTP(S) requests. Initial research and forum chatter suggested any version prior to 8.0.2 was under immediate risk, with evidence of targeted attacks beginning in October 2025 and widespread exploitation likely to ramp up as the bug was available for sale on a popular black-hat forum for about a week at time of writing. WatchTowr Labs released a public PoC yesterday, November 13, and the bug has since been added to CISA's Known Exploited Vulnerabilities list. Fortinet's official PSIRT communication about this bug has somewhat tempered initial claims of the affected FortiWeb versions being any before 8.0.2.

Affected Systems and/or Applications

According to a newly released Fortinet PSIRT advisory, the following FortiWeb versions are affected:

Technical Details / Attack Overview

The vulnerability is an authentication bypass flaw that allows an unauthenticated, remote attacker to perform privileged administrative actions. Attackers exploit the flaw by sending a crafted HTTP POST request to the endpoint:

`/api/v2.0/cmdb/system/admin%3F/../../../../../cgi-bin/fwbcgi`

This request path appears to abuse path traversal and improper access control to reach a CGI interface (`fwbcgi`) that processes administrative commands without proper authentication.

The payload within the POST request is designed to create a new local administrator account. A successful exploitation returns a `200 OK` HTTP response with the details of the newly created admin account, including full administrative privileges (`"access-profile": "prof_admin"`). Attempts to exploit patched systems (version 8.0.2) result in a `403 Forbidden` response, indicating the vulnerability has been mitigated.

This zero-day exploit was observed being sold on black hat forums and is being used indiscriminately in the wild, suggesting a high likelihood that unpatched systems are already compromised.

Workarounds and Mitigations

Organizations are advised to take the following actions immediately:

• Patch all FortiWeb appliances to their appropriate version's latest release.
• If immediate patching is not possible, remove the FortiWeb management interface from exposure to the public internet. Restrict access to trusted internal networks or via secure remote access methods (e.g., VPN).
• Systems running vulnerable versions and exposed to the internet may already be compromised. Conduct thorough investigations to identify any unauthorized administrator accounts or suspicious activity.

What the CFC is Doing

The CFC will continue to monitor the situation and send an advisory update if needed. Investigation of threat hunting possibilities is ongoing. Clients subscribed to our vulnerability scan services will receive relevant results if critical vulnerabilities are found within the scope of the scans as soon as a relevant plugin is made available by the scan provider.

References

• https://www.fortiguard.com/psirt/FG-IR-25-910
• https://www.rapid7.com/blog/post/etr-critical-vulnerability-in-fortinet-fortiweb-exploited-in-the-wild/
• https://thehackernews.com/2025/11/fortinet-fortiweb-flaw-actively.html
• https://www.bleepingcomputer.com/news/security/fortiweb-flaw-with-public-poc-actively-exploited-to-create-admin-users/

‍