On November 14, 2025, Fortinet released a PSIRT advisory for a critical vulnerability affecting its FortiWeb Web Application Firewall (WAF). Tracked as CVE-2025-64446, this flaw carries a CVSS 3.1 score of 9.8 (Critical) and is confirmed to be actively exploited in the wild.
Vulnerability Description
The vulnerability is the result of a chain of two distinct security flaws:
- Path Traversal: A weakness in the management interface’s input validation allows an attacker to manipulate an API request path.
- Authentication Bypass: A second flaw allows the attacker to append a specific HTTP header (
CGIINFO) to their request, enabling them to impersonate an existing user, including the default administrator account.
By chaining these two flaws, a remote, unauthenticated attacker can send a specially crafted HTTP POST request. The exploit targets the fwbcgi executable by leveraging a manipulated API path, such as:
/api/v2.0/cmdb/system/admin%3f/../../../../../cgi-bin/fwbcgi
The malicious CGIINFO header contains a JSON structure that forces the system to process the request as if it originated from the local “super_admin” administrator.
Impact and Exploitation
The impact of this vulnerability is a full system compromise. Security researchers and Fortinet have confirmed that threat actors are actively exploiting this flaw to create new administrator accounts on exposed FortiWeb appliances.
Once administrative access is gained, the attacker has complete control over the WAF, allowing them to:
- Disable security rules.
- Intercept, read, or modify web traffic intended for protected applications.
- Use the appliance as a pivot to move deeper into the internal network.
CISA has added CVE-2025-64446 to its KEV (Known Exploited Vulnerabilities) catalog, compelling U.S. federal agencies to apply the patch by November 21, 2025, underscoring the urgency of the situation.
Affected Products
The following FortiWeb versions are confirmed to be vulnerable:
- FortiWeb versions 8.0.0 through 8.0.1
- FortiWeb versions 7.6.0 through 7.6.4
- FortiWeb versions 7.4.0 through 7.4.9
- FortiWeb versions 7.2.0 through 7.2.11
- FortiWeb versions 7.0.0 through 7.0.11
Remediation and Mitigation Actions
It is imperative to apply the security updates provided by Fortinet as soon as possible.
Remediation (Patches): The following versions resolve the vulnerability:
- FortiWeb version 8.0.2 or later
- FortiWeb version 7.6.5 or later
- FortiWeb version 7.4.10 or later
- FortiWeb version 7.2.12 or later
- FortiWeb version 7.0.12 or later
Mitigation (Workaround): If immediate patching is not feasible, the only effective mitigation is to disable HTTP/HTTPS management interface access to the FortiWeb appliance from the internet or any untrusted network. Administrative access should only be possible from a secure, internal network or via VPN.
It is also highly recommended to audit logs and user account configurations for any suspicious or unknown administrator accounts that may have been created.
Source:
CISA Alert: https://www.cisa.gov/news-events/alerts/2025/11/14/fortinet-releases-security-advisory-relative-path-traversal-vulnerability-affecting-fortiweb
Fortinet PSIRT Advisory: https://fortiguard.fortinet.com/psirt/FG-IR-25-910
NVD Entry: https://nvd.nist.gov/vuln/detail/CVE-2025-64446
