Free Trial
|
Login
Free Trial
Login
Platform
Platform
I want to
report
WHITEPAPER Picus Red Report 2025
white paper
DATASHEET Security Validation Platform
Use Cases
Use Cases
Frameworks
Industry
Group
WHITEPAPER Building a Robust Defense-in-Depth Strategy with Breach and Attack Simulation (BAS)
Paper Icons
E-BOOK An Introduction to Exposure Validation
Research
RESEARCH
LEARNING
whitepaper
Whitepaper Modernize Your SOC with Breach and Attack Simulation
report (1)
REPORT Blue Report: Effective Threat Exposure Management
Resources
RESOURCES
LEARNING
Group
WHITEPAPER Double Your Threat Blocking in 90 Days
Paper Icons
E-BOOK An Introduction to Exposure Validation
Company
COMPANY
PARTNERS
webinar
WATCH ON-DEMAND: The BAS Summit: Redefining Attack Simulation through AI
Data sheet
DATASHEET The Pioneer of Breach & Attack Simulation
GET A DEMO
Huseyin Can YUCEEL | 3 MIN READ

CREATED ON November 17, 2025

FortiWeb CVE-2025-64446 Vulnerability: Path Traversal Leads to Remote Code Execution

On November 14, 2025, Fortinet published a security advisory for a critical pre-authentication vulnerability in FortiWeb. The CVE-2025-64446 vulnerability stems from a combination of weaknesses in FortiWeb's request routing and authentication logic, allowing attackers to execute privileged commands as an administrator. Both Fortinet and CISA have confirmed active exploitation in the wild; organizations running any impacted FortiWeb appliances are advised to apply patches or mitigations without delay.

In this blog, we explain how the FortiWeb CVE-2025-64446 vulnerability works and provide practical steps for validation and remediation.

Simulate Vulnerability Exploitation Attacks with 14-Day Free Trial of Picus Platform

Fortinet FortiWeb CVE-2025-64446 Vulnerability Explained

Fortinet FortiWeb is a dedicated web application firewall (WAF) designed to protect web applications and APIs from a broad spectrum of attacks, including SQL injection, cross-site scripting, file inclusion, and other application-layer threats. It sits in front of an organization's web infrastructure and analyzes incoming traffic to detect and block malicious payloads before they ever reach an application server.

On November 14, 2025, Fortinet issued a security advisory for a critical vulnerability affecting FortiWeb identified as CVE-2025-64446 [1]. The vulnerability is a relative path traversal vulnerability that allows an unauthenticated attacker to execute administrative commands remotely. The vulnerability has a CVSS score of 9.8 (Critical) and affects multiple FortiWeb versions, including the 7.0, 7.2, 7.4, 7.6, and 8.0 branches. Both CISA and Fortinet confirm that the flaw is actively exploited in the wild [2]. 

How Does the FortiWeb CVE-2025-64446 Exploit Work?

At its core, the FortiWeb CVE-2025-64446 vulnerability exists because FortiWeb's GUI API handler does not properly validate or sanitize URL paths before processing them. An attacker can craft a malicious HTTP request that abuses relative path traversal sequences to break out of the intended /api/v2.0/ routing path. In vulnerable systems, FortiWeb's Apache configuration forwards any request beginning with /api/v2.0/ to a backend CGI handler before resolving encoded characters or collapsing directory traversal markers. This means that crafted requests like the one below can be routed directly to the internal fwbcgi administrative component instead of the legitimate API endpoint.

/api/v2.0/cmdb/system/admin%3f/../../../../../cgi-bin/fwbcgi

Once the attacker reaches this internal CGI, a second weakness is triggered. The CGI's authentication function cgi_auth trusts a user-supplied header called HTTP_CGIINFO. The header contains base64-encoded JSON fields such as username, profname, and loginname. Because the system does not verify the signature or legitimacy of these values, the attacker can impersonate any administrator simply by choosing the account name they want to imitate. The JSON is copied directly into the login context, meaning the vulnerable appliance believes the attacker is a valid administrative user.

When these two design flaws are combined, the result is full remote command execution on the device without any credentials. The path traversal provides access to a privileged CGI endpoint, and the header manipulation bypasses authentication entirely. The GitHub analysis confirms that this chain grants complete access to all administrative actions handled by fwbcgi and allows attackers to create new accounts, modify configurations, or execute other privileged API commands [3]. 

How Picus Helps Simulate FortiWeb CVE-2025-64446 Attacks?

We also strongly suggest simulating the FortiWeb CVE-2025-64446 vulnerability to test the effectiveness of your security controls against sophisticated cyber attacks using the Picus Security Validation Platform. You can also test your defenses against other vulnerability exploitation attacks, such as regreSSHion, Citrix Bleed, and Follina, within minutes with a 14-day free trial of the Picus Platform.

Picus Threat Library includes the following threats for FortiWeb CVE-2025-64446 vulnerability exploitation attacks:

Threat ID

Threat Name

Attack Module

68019

FortiWeb Web Attack Campaign

Web Application

Start simulating emerging threats today and get actionable mitigation insights with a  14-day free trialof the Picus Security Validation Platform.

References

[1] "PSIRT," FortiGuard Labs. Available: https://fortiguard.fortinet.com/psirt/FG-IR-25-910

[2] "Website." Available: https://www.cisa.gov/news-events/alerts/2025/11/14/fortinet-releases-security-advisory-relative-path-traversal-vulnerability-affecting-fortiweb 

[3] "FortiWeb Unauthenticated RCE via Path Traversal and CGI Auth Bypass CVE-2025-64446," Available: https://gist.github.com/N3mes1s/d882ee7ca4ddcad150f94b7460508a32

Table of Contents

FortiWeb CVE-2025-64446 Vulnerability: Path Traversal Leads to Remote Code Execution
Emerging Threat FortiWeb CVE-2025-64446 Vulnerability: Path Traversal Leads to Remote Code Execution
Learn More
CVE-2025-59287 Explained: WSUS Unauthenticated RCE Vulnerability
Emerging Threat CVE-2025-59287 Explained: WSUS Unauthenticated RCE Vulnerability
Learn More
Earth Krahang APT Group: Global Government Cyberespionage Campaigns (2022–2024) and TTP Analysis
Emerging Threat Earth Krahang APT Group: Global Government Cyberespionage Campaigns (2022–2024) and TTP Analysis
Learn More
WARMCOOKIE: A Technical Deep Dive into a Persistent Backdoor's Evolution
Emerging Threat WARMCOOKIE: A Technical Deep Dive into a Persistent Backdoor's Evolution
Learn More
Lazarus Group (APT38) Explained: Timeline, TTPs, and Major Attacks
Emerging Threat Lazarus Group (APT38) Explained: Timeline, TTPs, and Major Attacks
Learn More
Scattered LAPSUS$ Hunters: 2025's Most Dangerous Cybercrime Supergroup
Emerging Threat Scattered LAPSUS$ Hunters: 2025's Most Dangerous Cybercrime Supergroup
Learn More
F5 Confirms Breach of Internal Systems—Source Code, Customer Data at Risk
Emerging Threat F5 Confirms Breach of Internal Systems—Source Code, Customer Data at Risk
Learn More
Emerging Threat Oracle EBS CVE-2025-61882 Vulnerability: Pre-auth SSRF Leads to Remote Code Execution
Learn More
Shai-Hulud Worm: Inside the npm Supply Chain Attack
Emerging Threat Shai-Hulud Worm: Inside the npm Supply Chain Attack
Learn More