CVE-2025-64446: Critical FortiWeb Path Traversal Vulnerability Under Active Exploitation
November 20, 2025
ChatGPT 
Fortinet’s FortiWeb has come under critical scrutiny following the discovery of CVE-2025-64446, a pre-authentication vulnerability now confirmed to be exploited in the wild. The vulnerability enables attackers to gain administrative access and execute privileged operations remotely, without credentials.
With confirmations from Fortinet PSIRT, CISA, and multiple security researchers, organizations using affected FortiWeb versions are urged to treat this as an emergency patching priority. The vulnerability has a CVSS score of 9.1/9.8 (Critical) depending on the scoring source.
This blog breaks down how vulnerability works, why it is dangerous, and how attackers are exploiting it.
What Is CVE-2025-64446?
CVE-2025-64446 is a relative path traversal vulnerability in FortiWeb that allows an unauthenticated user to reach internal administrative CGI components that are normally protected behind authentication controls.
Once the attacker reaches these components, a second logic vulnerability enables them to spoof administrator identity and execute any privileged command available to a legitimate admin.
This combination directly results in remote code execution (RCE) and full compromise of the FortiWeb appliance.
Affected Versions
The vulnerability impacts multiple release branches:
- FortiWeb 8.0.0 – 8.0.1
- FortiWeb 7.6.0 – 7.6.4
- FortiWeb 7.4.0 – 7.4.9
- FortiWeb 7.2.0 – 7.2.11
- FortiWeb 7.0.0 – 7.0.11
Fixed releases include:
- 8.0.2+, 7.6.5+, 7.4.10+, 7.2.12+, and 7.0.12+
Technical Breakdown: How the Exploit Works
CVE-2025-64446 stems from a two-stage design weakness involving:
- Path Traversal Through the API Routing Layer
- Authentication Bypass in the Administrative CGI Handler
1. Breaking Out of the API Path
FortiWeb uses a GUI API handler under the path /api/v2.0/.
However, the routing logic processes certain path components before decoding and normalizing traversal sequences, allowing malformed paths to escape the expected directory structure.
Example attack pattern:
/api/v2.0/cmdb/system/admin%3f/../../../../../cgi-bin/fwbcgi
Because validation occurs late in the request flow, FortiWeb’s Apache layer forwards the malicious request to the internal CGI handler, fwbcgi, which is normally accessible only after authentication.
This mistake exposes a restricted component to unauthenticated clients.
2. Bypassing Authentication Using a Trusted Header
The internal component fwbcgi relies on a function (cgi_auth) that trusts the header HTTP_CGIINFO.
This header contains a Base64-encoded JSON object with fields such as:
- username
- profname
- loginname
Since no signature validation or integrity checking occurs, attackers can supply any username they want, effectively impersonating an administrator.
Example JSON (after Base64 decoding):
{
"username": "super_admin",
"profname": "super_admin",
"loginname": "super_admin"
}
The CGI handler copies this information directly into the login session context.
By chaining both vulnerabilities, attackers achieve:
- Full administrative access
- Arbitrary configuration changes
- Creation of persistent admin accounts
- Execution of privileged API and system commands
- Potential pivoting into protected networks via the WAF interface
This turns a system intended to shield web applications into a high-impact entry point for attackers.
How Attackers Are Exploiting CVE-2025-64446
Unauthorized Admin Accounts
Attackers create hidden admin accounts (like “hax0r”) to maintain long-term access. These accounts blend in with regular activity, making detection difficult.
Remote Execution of Admin Commands
With admin privileges, attackers can run any command allowed by the FortiWeb management plane, changing rules, uploading files, or disabling protections.
Silent, Targeted Compromises
Some campaigns show unusually quiet behavior. Attackers avoid noisy changes, focusing instead on persistence and data collection.
Global Scanning Activity
Groups like Shadowserver and Defused have detected widespread scans targeting FortiWeb endpoints such as /api/v2.0/ and /cgi-bin/fwbcg, indicating active reconnaissance.
CVE-2025-64446 – Organizational Exposure and Risk Surface
Complete Device Takeover – Successful exploitation grants attackers full administrative control of the FortiWeb appliance, effectively handing over the keys to a critical security gateway.
Compromise or Disablement of WAF Protections – Attackers can manipulate or disable WAF rules, leaving applications exposed to previously blocked threats such as SQLi RCE, LFI, and bot attacks.
Injection of Malicious Policies- Malicious reverse proxyrules or custom signatures can be inserted to intercept, modify, or reroute live application traffic.
Traffic Manipulation and Data Interception – Since FortiWeb often sits at major ingress points, attackers can:
- Intercept session tokens
- Capture authentication credentials
- Harvest API keys
- Redirect clients to malicious destinations
Enabling Lateral Movement – Once inside, attackers can pivot from the WAF into internal networks, targeting application servers, admin consoles, or internal services.
Exposure of Sensitive Logs and Credentials – WAF logs often contain insights into application architecture and user behavior. Compromised logs provide attackers with:
- Operational intelligence
- API routes
- Error responses
- Potentially sensitive metadata
AppTrana Coverage Against Path Traversal and Pre-Auth Exploits
While CVE-2025-64446 is a vendor-side vulnerability in FortiWeb’s internal authentication logic, AppTrana provides multiple layers of protection that help reduce exposure to similar path traversal and pre-authentication attacks:
- Path Normalization and Validation: AppTrana inspects and normalizes all request paths, blocking attempts to traverse directories or access restricted components through encoded or malformed URLs.
- Pre-Authentication Filtering: Requests to sensitive endpoints such as administrative interfaces or CGI handlers are monitored and filtered before reaching the backend, preventing unauthenticated access attempts.
- Header and Identity Enforcement: Malicious header injection, including spoofed identity headers, is detected and blocked, preventing attackers from bypassing authentication controls.
- Virtual Patching: AppTrana’s managed rules provide instant protection against known exploitation patterns like path traversal, RCE attempts, and unauthorized access, even before official patches are applied.
- Anomaly Detection and Behavioral Monitoring: Suspicious administrative behavior, such as creation of new admin accounts or unusual configuration changes, is flagged and blocked in real time.
- Access Hardening: Public exposure of management interfaces is restricted through IP-based controls, rate limiting, and bot detection to reduce attack surface and reconnaissance activity.
This layered approach ensures that even if a vulnerability exists in the underlying appliance, attackers are prevented from successfully exploiting it through web-facing interfaces or APIs.
Stay tuned for more relevant and interesting security articles. Follow Indusface on Facebook, Twitter, and LinkedIn.
