On November 14, 2025, Fortinet published a security advisory for a critical pre-authentication vulnerability in FortiWeb. The CVE-2025-64446 vulnerability stems from a combination of weaknesses in FortiWeb's request routing and authentication logic, allowing attackers to execute privileged commands as an administrator. Both Fortinet and CISA have confirmed active exploitation in the wild; organizations running any impacted FortiWeb appliances are advised to apply patches or mitigations without delay.
In this blog, we explain how the FortiWeb CVE-2025-64446 vulnerability works and provide practical steps for validation and remediation.
Simulate Vulnerability Exploitation Attacks with 14-Day Free Trial of Picus Platform
Fortinet FortiWeb is a dedicated web application firewall (WAF) designed to protect web applications and APIs from a broad spectrum of attacks, including SQL injection, cross-site scripting, file inclusion, and other application-layer threats. It sits in front of an organization's web infrastructure and analyzes incoming traffic to detect and block malicious payloads before they ever reach an application server.
On November 14, 2025, Fortinet issued a security advisory for a critical vulnerability affecting FortiWeb identified as CVE-2025-64446 [1]. The vulnerability is a relative path traversal vulnerability that allows an unauthenticated attacker to execute administrative commands remotely. The vulnerability has a CVSS score of 9.8 (Critical) and affects multiple FortiWeb versions, including the 7.0, 7.2, 7.4, 7.6, and 8.0 branches. Both CISA and Fortinet confirm that the flaw is actively exploited in the wild [2].
At its core, the FortiWeb CVE-2025-64446 vulnerability exists because FortiWeb's GUI API handler does not properly validate or sanitize URL paths before processing them. An attacker can craft a malicious HTTP request that abuses relative path traversal sequences to break out of the intended /api/v2.0/ routing path. In vulnerable systems, FortiWeb's Apache configuration forwards any request beginning with /api/v2.0/ to a backend CGI handler before resolving encoded characters or collapsing directory traversal markers. This means that crafted requests like the one below can be routed directly to the internal fwbcgi administrative component instead of the legitimate API endpoint.
|
/api/v2.0/cmdb/system/admin%3f/../../../../../cgi-bin/fwbcgi |
Once the attacker reaches this internal CGI, a second weakness is triggered. The CGI's authentication function cgi_auth trusts a user-supplied header called HTTP_CGIINFO. The header contains base64-encoded JSON fields such as username, profname, and loginname. Because the system does not verify the signature or legitimacy of these values, the attacker can impersonate any administrator simply by choosing the account name they want to imitate. The JSON is copied directly into the login context, meaning the vulnerable appliance believes the attacker is a valid administrative user.
When these two design flaws are combined, the result is full remote command execution on the device without any credentials. The path traversal provides access to a privileged CGI endpoint, and the header manipulation bypasses authentication entirely. The GitHub analysis confirms that this chain grants complete access to all administrative actions handled by fwbcgi and allows attackers to create new accounts, modify configurations, or execute other privileged API commands [3].
We also strongly suggest simulating the FortiWeb CVE-2025-64446 vulnerability to test the effectiveness of your security controls against sophisticated cyber attacks using the Picus Security Validation Platform. You can also test your defenses against other vulnerability exploitation attacks, such as regreSSHion, Citrix Bleed, and Follina, within minutes with a 14-day free trial of the Picus Platform.
Picus Threat Library includes the following threats for FortiWeb CVE-2025-64446 vulnerability exploitation attacks:
|
Threat ID |
Threat Name |
Attack Module |
|
68019 |
FortiWeb Web Attack Campaign |
Web Application |
Start simulating emerging threats today and get actionable mitigation insights with a 14-day free trial of the Picus Security Validation Platform.
References
[1] "PSIRT," FortiGuard Labs. Available: https://fortiguard.fortinet.com/psirt/FG-IR-25-910
[2] "Website." Available: https://www.cisa.gov/news-events/alerts/2025/11/14/fortinet-releases-security-advisory-relative-path-traversal-vulnerability-affecting-fortiweb
[3] "FortiWeb Unauthenticated RCE via Path Traversal and CGI Auth Bypass CVE-2025-64446," Available: https://gist.github.com/N3mes1s/d882ee7ca4ddcad150f94b7460508a32