Overview
- Fortinet disclosed that CVE-2025-64446 is a path‑confusion authentication bypass in the FortiWeb GUI that lets unauthenticated attackers execute administrative commands on vulnerable devices.
- Researchers report attackers are creating new local admin accounts via crafted HTTP POST requests to the /api/v2.0/cmdb/system/admin%3F/../../../../../cgi-bin/fwbcgi endpoint, with observed credentials and source IPs shared for detection.
- Fortinet said the flaw was silently fixed on October 28 in FortiWeb 8.0.2, with upgrades also available for branches 7.0, 7.2, 7.4, and 7.6 to versions 7.0.12, 7.2.12, 7.4.10, and 7.6.5 or later.
- watchTowr reproduced the exploit, published a demo, and released a FortiWeb Authentication Bypass Artifact Generator, while Rapid7 validated that 8.0.2 blocks public PoC attempts and noted an alleged exploit listing on November 6.
- Citing active, indiscriminate exploitation, Fortinet and CISA urged immediate remediation, including upgrading, isolating internet-facing management interfaces, and reviewing logs for unauthorized administrator accounts and other anomalies.