FortiWeb Path Traversal Exploit Actively Targeted: What You Need to Know

A recent surge in attacks against Fortinet FortiWeb appliances has revealed an undocumented path traversal flaw, now formally tracked as CVE-2025-64446. The issue allows attackers to create admin accounts without authentication. With exploitation already active and now confirmed by both Fortinet and CISA, organizations must review their exposure and validate the security of their devices.

This article breaks down what is currently known and offers clear, actionable insights to help teams strengthen their defenses.

What Is the Newly Observed FortiWeb Vulnerability?

The vulnerability, now designated as CVE-2025-64446 (CVSS 9.8), involves a path traversal and authentication bypass flaw in Fortinet FortiWeb, a Web Application Firewall (WAF) with a built-in management interface.

According to multiple researchers, an attacker can send a crafted HTTP POST request to a specific API endpoint, which uses encoded characters and directory traversal segments (../../../../../) to reach an internal CGI script. When accessed in this way, the script processes administrative commands without requiring authentication.

The result: an unauthenticated attacker can create a new local administrator account on a target device. Once such an account exists, the attacker can log into FortiWeb’s management panel, or the associated websocket CLI, with full administrative privileges. They can then modify configurations or security policies, and potentially take full control of the device.

In this case, the ease of exploitation, combined with the ability to create privileged users, makes this flaw very impactful.

How Does CVE-2025-64446 Work?

Before looking at attacker activity, it’s important to understand how CVE-2025-64446 works. The exploit relies on two weaknesses that chain together to give an attacker full administrative control without authentication.

1. Path Traversal

FortiWeb accepts API paths under /api/v2.0/, but it does not properly normalize encoded characters or block upward directory traversal. With a crafted request, an attacker can escape the intended path and reach the internal fwbcgi handler.

Example path: /api/v2.0/cmdb/system/admin%3f/../../../../../cgi-bin/fwbcgi

This path uses %3f (an encoded ?) and ../../../../../ sequences to reach cgi-bin/fwbcgi, which should not be accessible from the API surface.

2. CGI Authentication Bypass 

The fwbcgi binary uses a function known as cgi_auth to determine user identity. It reads a Base64-encoded CGIINFO header that contains JSON describing the user. Critically:

• It does not validate passwords or tokens.
• It trusts whatever identity the client provides.

With this JSON, an attacker can impersonate the built-in admin account:

{

“username”: “admin”,

“profname”: “super_admin”,

“vdom”: “root”,

“loginname”: “admin”

}

Once the system accepts this header, all actions run with full admin rights. Attackers can then create new admin users with known passwords.

How Is the Exploit Being Used in the Wild?

The first signs of active exploitation emerged on October 6, when Defused’s honeypot environment captured suspicious traffic involving an unknown Fortinet exploit. Soon after, the activity grew into broad scanning and credential-planting behavior targeting exposed FortiWeb instances worldwide.

Observed attacker behaviors include:

• Repeated POST requests to the vulnerable API path
• Payloads designed to create unauthorized administrator accounts
• Rotation of multiple credential sets to avoid detection
• Rapid, wide-range spraying of the exploit across numerous IPs

Dark Web Activity Noticed by SOCRadar

SOCRadar’s Advanced Dark Web Monitoring capabilities identified a post referencing an alleged FortiWeb exploit on November 3, 2025, shortly before other researchers publicly connected the activity.

While it is yet unverified, the post’s timing aligns closely with the initial exploitation observed in honeypot environments.

Fresh Dark Web Listing Offers CVE-2025-64446 Exploit for Sale

SOCRadar has detected another Fortinet-related listing that offers a working exploit, specifically for CVE-2025-64446. The post advertises a Go-based exploit capable of adding new administrator accounts to vulnerable FortiWeb devices. The seller claims the PoC has been tested against a real target and is being sold with full source code.

Advertisement of a working exploit for CVE-2025-64446 (SOCRadar Dark Web News)

The exploit was shared on a cybercriminal forum known to attract ransomware-aligned actors. Once a vulnerability reaches such marketplaces, it is more likely to be exploited as an initial access vector in real-world attacks.

SOCRadar, through its Dark Web Monitoring, continues to monitor underground forums for further PoC distribution, exploit sales, or coordinated threat activity associated with CVE-2025-64446.

Which Versions Are Affected?

Fortinet’s advisory for CVE-2025-64446 confirms that multiple FortiWeb version branches are vulnerable. The following releases are affected:

• 8.0.0 through 8.0.1
• 7.6.0 through 7.6.4
• 7.4.0 through 7.4.9
• 7.2.0 through 7.2.11
• 7.0.0 through 7.0.11

Earlier testing by researchers, including Rapid7, identified 8.0.2 as the first version to block the exploit, returning a 403 Forbidden response. The official advisory now confirms that 8.0.2 contains the patch, and that fixes were also released across the 7.x branches.

Fortinet Publishes Advisory for the Exploited FortiWeb Flaw: CVE-2025-64446

At the time of this blog’s publish, Fortinet had not yet issued an official advisory or assigned a CVE ID for the vulnerability. At that time, it was unclear whether FortiWeb 8.0.2 contained a deliberate fix or merely an incidental change that blocked the publicly circulating exploit path. Because the vendor had not formally acknowledged the issue, defenders were advised to closely monitor the Fortinet PSIRT feed for updates.

Shortly after, Fortinet released an advisory and assigned the vulnerability CVE-2025-64446, confirming both its severity and its active exploitation in the wild. The advisory also clarifies that FortiWeb 8.0.2, published on October 28, 2025, includes the official fix.

Until organizations can upgrade to a fixed release, Fortinet recommends disabling HTTP or HTTPS access on internet-facing interfaces. If the management interface is accessible only from internal networks, following standard best practices, the risk of exploitation is significantly reduced.

CISA Adds CVE-2025-64446 to the KEV Catalog

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2025-64446 affecting FortiWeb to its Known Exploited Vulnerabilities (KEV) Catalog, reinforcing that the vulnerability poses an active and credible threat. In accordance with CISA’s binding operational directive, federal civilian agencies are required to take remediation action by November 21, 2025.

Proof of Concept (PoC) Exploit Is Available for New FortiWeb Flaw

Researchers from watchTowr Labs have reproduced the exploit in a PoC video showing a failed login attempt, followed by a successful login using a newly created admin account after sending the malicious POST request.

Given how widespread the scanning has become, organizations should assume that exposed management interfaces will eventually receive these requests if they are reachable over the internet.

Shodan Observations on FortiWeb Exposure

A recent Shodan scan shows over 700 publicly reachable FortiWeb instances, with most located in the United States. While this exposure level is relatively small, any internet-facing management interface significantly increases the risk of exploitation, especially during active attack campaigns.

What Immediate Steps Should Administrators Take?

Organizations running FortiWeb should act quickly even if they have not yet detected compromise. The following steps align with guidance from researchers and Fortinet’s official advisory for CVE-2025-64446:

• Upgrade to a patched version: Move to one of the fixed releases as soon as possible:
  • 8.0.2 or later
  • 7.6.5 or later
  • 7.4.10 or later
  • 7.2.12 or later
  • 7.0.12 or later

After upgrading to a patched version, Fortinet advises customers to: 1) Review device configurations for unexpected changes, 2) Examine logs for unauthorized modifications, and 3) Check for newly added administrator accounts.

• Remove management interfaces from public internet access: If remote access is required, restrict exposure to a trusted VPN or internal network.
• Audit all admin accounts: Review recent account creation timestamps and validate every privileged user.
• Inspect logs for the specific traversal endpoint: Even a single request should trigger a deeper investigation.

Boost Vulnerability Intelligence and Threat Visibility with SOCRadar

Tracking fast‑moving vulnerability developments, like the active FortiWeb exploitation, requires real‑time intelligence and continuous monitoring. With SOCRadar’s Cyber Threat Intelligence module, your organization can:

• Monitor trending exploits as they surface
• Detect shifts in attacker behavior and exploit techniques
• Receive early warnings about high‑risk vulnerabilities affecting your tech stack
• Prioritize remediation using enriched technical context and threat insights

How Can Organizations Detect Potential Compromise?

Even without a formal patch advisory, security teams can verify exposure and identify whether attackers have already exploited the flaw. Here are the most reliable indicators of compromise reported by researchers:

• Unexpected administrator accounts: Look for new local admin-level accounts – especially those with names seen in the wild (e.g., trader, Testpoint). Any recently created privileged user warrants immediate investigation.
• Logs showing requests to the ‘fwbcgi’ path: Check web server, application, and reverse proxy logs for access attempts to: /api/v2.0/cmdb/system/admin%3f/../../../../../cgi-bin/fwbcgi
• Requests from flagged IP ranges: Cross-reference logs with the suspicious IPs observed by multiple research teams.
• Use the detection tool: watchTowr Labs released a FortiWeb Authentication Bypass Detection Artifact Generator, designed to safely test devices for susceptibility. It generates controlled requests using a randomized username, allowing defenders to confirm whether their instance is vulnerable without exploiting the device themselves.

Indicators of Compromise (IOCs)

These IOCs, compiled from PwnDefend and additional research into CVE-2025-64446, can support both immediate triage and long-term monitoring efforts to identify FortiWeb exploitation attempts in your environment.

Network Indicators:

• POST requests to paths containing %3f/../ under /api/v2.0/
• Malicious endpoint requests: /api/v2.0/cmdb/system/admin%3f/../../../../../cgi-bin/fwbcgi
• Requests containing a CGIINFO header with Base64-encoded JSON impersonating a user (e.g., “username”: “admin”, “profname”: “super_admin”)

Host Indicators:

• New or unknown admin accounts created after early October 2025
• Accounts assigned prof_admin or super_admin roles
• Trusted host settings widened to 0.0.0.0/0 or ::/0
• Suspicious admin usernames observed in the wild: Testpoint, trader1, trader, test1234point

Observed Password Patterns:

• AFodIUU3Sszp5
• 3eMIXX43
• AFT3$tH4ck
• AFT3$tH4ckmet0d4yaga!n

Malicious IP Addresses:

• 107.152.41.19
• 144.31.1.63
• 64.95.13.8
• 185.192.70.0/24 range