Overview
- Fortinet issued an advisory assigning CVE-2025-64446 and confirming active exploitation that lets unauthenticated attackers execute administrative commands on FortiWeb devices.
- Qualys detailed a two-step attack that chains a relative path traversal to the fwbcgi component with a CGIINFO header impersonation that grants full administrative privileges.
- Affected releases include FortiWeb 8.0.0–8.0.1, 7.6.0–7.6.4, 7.4.0–7.4.9, 7.2.0–7.2.11, and 7.0.0–7.0.11, with fixes in 8.0.2, 7.6.5, 7.4.10, 7.2.12, and 7.0.12.
- Defused, watchTowr, Rapid7, and PwnDefend reproduced the issue, released PoCs and detection resources, and reported widespread attempts since early October to add persistent admin users.
- CISA added the bug to its Known Exploited Vulnerabilities catalog and directed federal agencies to remediate by November 21, as vendors urge immediate upgrades, restriction of management access, and log reviews for unauthorized accounts and related IOCs.