top of page

CVE-2025-64446: Critical FortiWeb Path-Traversal Vulnerability Exploited in the Wild

  • Writer: helxon admin
    helxon admin
  • Jan 10
  • 2 min read

Updated: Feb 3

CVE-2025-64446: Critical Path-Traversal Vulnerability in Fortinet FortiWeb WAF Appliances


Overview of CVE-2025-64446

CVE-2025-64446 is a critical path-traversal vulnerability affecting Fortinet FortiWeb WAF appliances. Security researchers, including Arctic Wolf and Rapid7, have confirmed active exploitation beginning in October 2025. This flaw allows unauthenticated attackers to create new admin accounts, leading to full device compromise.


Understanding the Vulnerability

Attackers can send a crafted POST request to a vulnerable API path that bypasses authentication. This triggers backend CGI functions, enabling:


  • Creation of admin-level accounts

  • Full control of FortiWeb configuration

  • Possible lateral movement into internal networks


This makes CVE-2025-64446 a high-risk zero-day. The implications are serious, as it can lead to significant security breaches.


Affected Versions of FortiWeb

The following versions are vulnerable:


  • 8.0.0 – 8.0.1

  • 7.6.0 – 7.6.4

  • 7.4.0 – 7.4.9

  • 7.2.0 – 7.2.11

  • 7.0.0 – 7.0.11


Fixed versions: 8.0.2+, 7.6.5+, 7.4.10+, 7.2.12+, 7.0.12+ (Fortinet PSIRT Advisory). If you are using any of the affected versions, immediate action is necessary.


Why This Zero-Day Matters

The significance of this zero-day cannot be overstated. Here are key points to consider:


  • It has been exploited in the wild.

  • No authentication is required for exploitation.

  • It targets critical WAF infrastructure.

  • There is a high potential impact on web applications and internal assets.


Rapid7 has noted widespread scanning and exploitation attempts across the Internet. This vulnerability poses a serious threat to organizations relying on FortiWeb appliances.


Indicators of Compromise (IoCs)

To identify potential exploitation, watch for these indicators:


  • Unknown admin accounts

  • Logs referencing /cgi-bin/fwbcgi

  • Suspicious POST requests to /api/v2.0/cmdb/

  • Unexpected configuration changes


(Arctic Wolf Threat Research). Recognizing these signs early can help mitigate damage.


Mitigation Steps to Take

Here are essential steps to mitigate the risk associated with CVE-2025-64446:


  1. Patch immediately to the nearest fixed version.

  2. Remove public access to the FortiWeb management interface.

  3. Audit all admin accounts for unauthorized additions.

  4. Review logs for suspicious API calls or configuration edits.

  5. Perform a compromise assessment if exploitation is suspected.


Taking these actions can help secure your systems and prevent unauthorized access.


The Importance of Cybersecurity

In today's digital landscape, cybersecurity is paramount. Vulnerabilities like CVE-2025-64446 highlight the need for robust security measures. Organizations must prioritize patch management and continuous monitoring to protect their assets.


Conclusion

CVE-2025-64446 is a severe FortiWeb zero-day that enables remote admin account creation and full system compromise. With confirmed exploitation, organizations must patch now, restrict management access, and verify devices for unauthorized changes. By taking proactive steps, you can safeguard your digital assets and maintain operational integrity.


For more information on cybersecurity best practices, consider visiting Helxon.

 
 
 

Comments

bottom of page