[et_pb_section admin_label="section"] [et_pb_row admin_label="row"] [et_pb_column type="4_4"][et_pb_text admin_label="Text"]

Urgent Alert: CVE-2025-64446 — Exploited Zero-Day in FortiWeb (Path Traversal → Full Admin Take-Over)

Introduction

At Fortinet, the stakes are high — and when a Web Application Firewall (WAF) meant to protect your web apps becomes the entry point for an attacker, the business consequences can be severe. Today we dive into CVE‑2025‑64446, a newly disclosed (but already exploited) zero-day affecting Fortinet’s WAF product line, FortiWeb.

This post outlines what happened, why it matters, how it works, and — most importantly for Equal Tech Solutions’ audience — what you should do about it. If you manage or advise on network infrastructure, application security, or perimeter defense, this is one you can’t ignore.

What’s the vulnerability?

  • The flaw is a relative path traversal vulnerability (CWE-23) in FortiWeb, tracked as CVE-2025-64446.

  • It allows an unauthenticated attacker (i.e., no prior login/privilege needed) to send crafted HTTP or HTTPS requests to the FortiWeb management interface and execute administrative commands.

  • Specifically, the attacker can traverse to a CGI binary (fwbcgi) via a manipulated URL path such as:

    POST /api/v2.0/cmdb/system/admin%3F/../../../../../cgi-bin/fwbcgi HTTP/1.1

    This endpoint is abused to create local admin accounts on the device.

  • The National Vulnerability Database (NVD) lists the affected versions:

    • FortiWeb 8.0.0 through 8.0.1

    • FortiWeb 7.6.0 through 7.6.4

    • FortiWeb 7.4.0 through 7.4.9

    • FortiWeb 7.2.0 through 7.2.11

    • FortiWeb 7.0.0 through 7.0.11

  • The vendor fix versions:

    • 8.0.2 or above

    • 7.6.5 or above

    • 7.4.10 or above

    • 7.2.12 or above

    • 7.0.12 or above

  • The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added this vulnerability to its Known Exploited Vulnerabilities (KEV) Catalog, ordering federal agencies to patch by November 21, 2025.

Why it matters — the risk for organizations

  1. Full admin takeover of the WAF appliance: Because the vulnerability allows creation of administrative accounts, an attacker gains full control of the device. That undermines not just the WAF but potentially all downstream protected assets.

  2. Perimeter security is circumvented: The WAF is usually a front line of defense for web apps. If it is compromised, the attacker can disable logging, roll their own rules, or pivot further.

  3. In the wild exploitation is confirmed: The vulnerability has been actively exploited since October 2025, even before formal CVE publication.

  4. Large attack surface: Many FortiWeb appliances are exposed to the internet (management interfaces facing outside). Attackers scan for them indiscriminately.

  5. Time-sensitive: Because CISA mandates rapid remediation and exploit code exists, organizations must act swiftly.

How it works (technical breakdown)

Here’s a high-level walkthrough:

  • Path Traversal Stage: The attacker uses a URL containing ../../../../../cgi-bin/fwbcgi, tricking the application into executing the fwbcgi binary which normally handles CGI requests.

  • Authentication Bypass Stage: Within the fwbcgi binary, a header named CGIINFO is expected. Attackers supply a Base64-encoded JSON object that includes fields like username, profname, vdom, loginname. The binary uses this data to impersonate a user (notably “admin”) and invoke privileged operations without proper authentication.

  • Administrative command execution: Once impersonated, the attacker can call commands that create new local administrator users, modify configuration, disable logs, etc. Example response when exploit succeeds includes JSON with the new user “hax0r”.

  • Silent patching: Interestingly, the version 8.0.2 (released Oct 28, 2025) appears to contain the fix but without clearly documenting this specific vulnerability in its release notes.

“The vulnerability itself? … As far as we can see, it’s actually two… a Path Traversal vulnerability … and an Authentication Bypass vulnerability.” — watchTowr blog

Recommended actions (what you should do now)

Since you’re writing for a technician-/security-audience and your company works installation of network/security equipment, here are concrete actions:

  1. Inventory & identify affected appliances

    • List all FortiWeb appliances (any model) in your infrastructure or in customer environments.

    • Determine firmware versions. The vulnerable versions are as noted above.

    • Prioritize any appliance whose management interface (HTTP/HTTPS) is exposed to the internet or publicly reachable.

  2. Patch immediately

    • If you are still running FortiWeb 8.0.0/8.0.1, or the 7.x versions noted, schedule immediate upgrade to the fixed versions (8.0.2+, 7.6.5+, etc).

    • If possible, perform the upgrade in maintenance windows, with backups and testing.

  3. Apply interim mitigations (if patching cannot yet be done)

    • Disable HTTP or HTTPS access on any internet-facing management interface of FortiWeb until the patch is applied.

    • Restrict management interface access to trusted internal networks only.

    • Monitor logs for evidence of new admin users, suspicious POST requests to the fwbcgi endpoint, and unusual configuration changes.

  4. Threat hunting & detection

    • Review historical logs (prior to patch) for POST requests to /api/v2.0/cmdb/system/admin or similar endpoints with path traversal (../…) sequences.

    • Look for creation of new admin accounts, especially with “trusthostv4: 0.0.0.0/0” or similar wildcard settings used by attackers.

    • Deploy IDS/IPS rules to alert on known exploit patterns (e.g., discovery of fwbcgi in URL path).

    • Consider scanning external facing assets (using Shodan, etc) to identify exposed FortiWeb appliances.

  5. Communicate to stakeholders

    • Alert your network-security teams, SOCs, and relevant vendors about the urgent patch.

    • Because this vulnerability is listed in CISA’s KEV catalog, compliance/regulatory impact may be present for U.S. federal agencies or contractors.

    • Use this as a reminder to review your standard patch-window processes and ensure critical appliances (especially security appliances) are included.

  6. Post-patch validation

    • After upgrading to the fixed version, validate that the exploit no longer works (e.g., test on a non-production appliance or use scanner module).

    • Confirm no unauthorized administrator accounts remain.

    • Monitor over time for any signs of persistent compromise (since exploitation may have occurred prior to patching).

Key take-aways for technicians & MSPs

  • Security appliances (firewalls, WAFs, VPN gateways) are not immune to zero-days. They are both valuable targets and high-impact when compromised.

  • Patch-management processes need to include infrastructure appliances — especially those exposed to the internet.

  • Silent fixes (patches without disclosure) create risk: defenders may not know why the patch was applied and cannot hunt for the underlying compromise.

  • The interconnection between management interface exposure + weak authentication + path-traversal equals a major risk vector.

  • Even after patching, assume compromise is possible — detection and response efforts must be ongoing.

Conclusion

CVE-2025-64446 is a textbook “security appliance turned vector” scenario: a WAF, meant to block attacks, is instead leveraged by attackers to gain full administrative control — all via a combination of path traversal and authentication bypass. With exploit code in the wild and indiscriminate targeting already underway, this is a high-priority vulnerability for any organization using FortiWeb.

As tech professionals (and for our clients at Equal Tech Solutions), the message is clear: identify, patch, mitigate, hunt, and validate — now. Waiting is not an option.

[/et_pb_text][/et_pb_column] [/et_pb_row] [/et_pb_section]