Fortinet FortiWeb Authentication Bypass (CVE-2025-64446) Exploited in the Wild
A critical authentication bypass vulnerability in Fortinet FortiWeb, CVE-2025-64446, is being actively exploited, allowing unauthenticated attackers to add admin accounts and fully compromise devices.
Fortinet FortiWeb is under active attack due to CVE-2025-64446, an authentication bypass vulnerability that allows unauthenticated attackers to gain full administrative control over affected appliances. The flaw, which combines a path traversal in the API endpoint `/api/v2.0/cmdb/system/admin/` with a crafted `CGIINFO` header, enables attackers to reach the `fwbcgi` CGI binary and execute privileged operations. Exploitation attempts have been observed in the wild, with threat actors adding rogue administrative accounts as a persistence mechanism.
The vulnerability affects multiple FortiWeb versions: 8.0.x before 8.0.2, 7.6.x before 7.6.5, 7.4.x before 7.4.10, 7.2.x before 7.2.12, 7.0.x before 7.0.12, and 6.4.x/6.3.x up to specific builds. Notably, Fortinet silently patched the issue in FortiWeb 8.0.2 without initially disclosing it, later releasing an advisory and assigning CVE-2025-64446. The path traversal allows an attacker to traverse from the API endpoint to the `fwbcgi` CGI, while the `CGIINFO` header bypasses authentication checks.
The attack works by sending a POST request to the vulnerable API endpoint with a path traversal sequence, followed by a base64-encoded `CGIINFO` header containing admin credentials. The `fwbcgi` binary then processes the request, allowing the attacker to add a new administrative user. The exploit is straightforward and has been demonstrated in proof-of-concept code, making it a serious threat to unpatched systems.
Fortinet has released patches for all affected versions, and administrators are urged to apply them immediately. The vulnerability is being actively exploited, and organizations using FortiWeb should check for signs of compromise, such as unexpected admin accounts or unusual API requests. CISA has not yet added this CVE to its Known Exploited Vulnerabilities catalog, but given the active exploitation, it may do so soon.
This incident highlights the risks of silent patching, where vulnerabilities are fixed without public disclosure, leaving users unaware of the threat. It also underscores the importance of rapid patch deployment, especially for internet-facing devices like web application firewalls. Fortinet customers should prioritize updating FortiWeb to the latest versions and review their security logs for indicators of compromise.