Comprehensive Threat Exposure Management Platform
Hive Pro recognized in Gartner® Magic Quadrant™ for Exposure Assessment Platform, 2025 Watch platform in action
A critical zero-day vulnerability in Fortinet FortiWeb, designated CVE-2025-64446, has been discovered under active exploitation since October 2025. This severe FortiWeb security flaw allows unauthenticated attackers to create administrative accounts on exposed FortiWeb devices through a combination of path traversal and authentication bypass vulnerabilities. The FortiWeb vulnerability enables threat actors to gain complete administrative control over web application firewall devices with a single crafted HTTP request. Fortinet has released emergency patches to address this critical FortiWeb path traversal vulnerability affecting multiple product versions. Organizations using FortiWeb must immediately update their systems and audit for suspicious administrator accounts, as this vulnerability has been actively exploited at scale with attackers successfully bypassing FortiWeb authentication mechanisms.
Fortinet has patched a critical flaw in FortiWeb, its web application firewall platform, after discovering active exploitation of CVE-2025-64446 at scale. This FortiWeb vulnerability represents a severe path traversal bug that permits unauthenticated attackers to establish new administrative users on internet-exposed FortiWeb devices. The FortiWeb security flaw has been under continuous exploitation since early October 2025, with threat actors disguising malicious HTTP POST requests as legitimate FortiWeb traffic to evade security controls.
The FortiWeb attack methodology begins with a specially crafted POST request to targeted endpoints, triggering the path traversal vulnerability. By initiating the URI with a valid FortiWeb API path, attackers gain unauthorized access to the underlying fwbcgi executable within FortiWeb systems. This FortiWeb exploitation sets the foundation for the second attack phase, where adversaries exploit weaknesses in the fwbcgi binary’s authentication handling mechanism.
The cgi_auth() function within FortiWeb, which should enforce proper authentication controls, instead accepts user identity details supplied by attackers through a base64-encoded CGIINFO header without validation. This FortiWeb authentication vulnerability extracts four critical values from the header: username, profname, vdom, and loginname. Because FortiWeb devices maintain consistent attributes for built-in admin accounts, attackers can reliably impersonate administrators by supplying the correct JSON structure to FortiWeb systems.
Once FortiWeb systems process this fraudulent identity, all subsequent actions are treated as originating from legitimate FortiWeb administrators. This FortiWeb vulnerability grants attackers complete control, including the ability to create persistent admin accounts within FortiWeb and make unauthorized configuration changes that survive system reboots. The FortiWeb compromise allows threat actors to maintain long-term access to vulnerable web application firewall devices.
Organizations must immediately install the latest fixed FortiWeb version to protect devices from ongoing exploitation of CVE-2025-64446. Updating FortiWeb systems represents the only reliable method to fully eliminate this critical vulnerability and prevent unauthorized FortiWeb admin account creation. FortiWeb patch deployment should be prioritized as a critical security update across all affected installations.
As a temporary FortiWeb security measure, organizations should disable HTTP and HTTPS access on all internet-facing FortiWeb interfaces until patches are applied. This FortiWeb hardening reduces attacker entry points and limits exposure of vulnerable FortiWeb management interfaces. Restricting FortiWeb access helps prevent exploitation attempts during the patching window.
Security teams must review all administrator profiles within FortiWeb devices to identify suspicious accounts created through this vulnerability. Organizations should remove any unrecognized FortiWeb administrator accounts and investigate account creation timestamps within FortiWeb audit logs. Comprehensive FortiWeb account auditing helps detect successful exploitation attempts and prevents persistent attacker access.
Where technically feasible, restrict FortiWeb management access exclusively to trusted IP addresses and implement multi-factor authentication (MFA) for all FortiWeb administrator accounts. Enhanced FortiWeb access controls provide additional security layers beyond patching and reduce the attack surface for FortiWeb management interfaces. Strong FortiWeb authentication requirements help prevent unauthorized access even if vulnerabilities exist.
Organizations must implement comprehensive vulnerability management programs that regularly assess and update FortiWeb and other security software to address known vulnerabilities. Maintaining accurate inventories of FortiWeb versions and security patches enables proactive vulnerability remediation. Evaluating security practices of third-party vendors like Fortinet, especially for critical FortiWeb applications and services, ensures ongoing protection against emerging threats.
Get through updates and upcoming events, and more directly in your inbox