Cybersecurity researchers are sounding the alert about an authentication bypass vulnerability in Fortinet Fortiweb Web Application Firewall (WAF) that could allow an attacker to take over admin accounts and completely compromise a device.
"The watchTowr team is seeing active, indiscriminate in-the-wild exploitation of what appears to be a silently patched vulnerability in Fortinet's FortiWeb product," Benjamin Harris, watchTowr CEO and founder, said in a statement.
"Patched in version 8.0.2, the vulnerability allows attackers to perform actions as a privileged user - with in-the-wild exploitation focusing on adding a new administrator account as a basic persistence mechanism for the attackers."
The cybersecurity company said it was able to successfully reproduce the vulnerability and create a working proof-of-concept (Poc). It has also released an artifact generator tool for the authentication bypass to help identify susceptible devices.
According to details shared by Defused and security researcher Daniel Card of PwnDefend, the threat actor behind the exploitation has been found to send a payload to the "/api/v2.0/cmdb/system/admin%3F/../../../../../cgi-bin/fwbcgi" endpoint by means of an HTTP POST request to create an admin account.
Some of the admin usernames and passwords created by the payloads detected in the wild are below -
- Testpoint / AFodIUU3Sszp5
- trader1 / 3eMIXX43
- trader / 3eMIXX43
- test1234point / AFT3$tH4ck
- Testpoint / AFT3$tH4ck
- Testpoint / AFT3$tH4ckmet0d4yaga!n
watchTowr Labs researcher Sina Kheirkhah, in a follow-up analysis, said the vulnerability is actually a combination of two flaws: a path traversal bug within the HTTP request to reach the "fwbcgi" executable ("/api/v2.0/cmdb/system/admin%3F/../../../../../cg1-bin/fwbcgi") and an authentication bypass via the contents of the HTTP request header CGIINFO.
The "fwbcgi" binary includes a check to confirm if the body of the incoming HTTP request is a valid JSON blob, as well as invokes a function named "cgi_auth()," which "provides a mechanism to impersonate any user based on data supplied by the client."
This unfolds over four steps -
- Extract a CGIINFO header from the HTTP request
- Decode the Base64-encoded value
- Parse the result as JSON
- Iterate over the all JSON keys in the blob to extract four attributes: username, profname (profile name), vdom (virtual domain), and loginname (login identifier)
In other words, these fields passed via the HTTP request instruct "fwbcgi" the user the sender of the request wishes to impersonate. In the case of the built-in "admin" account, these values are consistent across devices and cannot be changed: username ("admin"), profname ("prof_admin"), vdom ("root"), and loginname ("admin").
As a result, an attacker can leverage the path traversal vulnerability by sending a specifically crafted HTTP request containing a CGIINFO header that allows them to impersonate any user, including an admin, by simply supplying the aforementioned values and inheriting their privileges.
"That means an attacker can perform any privileged action simply by supplying the appropriate JSON structure," Kheirkhah explained, adding that the vulnerability could be weaponized to create new local users with elevated privileges.
The origins and identity of the threat actor behind the attacks remain unknown. The exploitation activity was first detected early last month. As of writing, Fortinet has not assigned a CVE identifier or published an advisory on its PSIRT feed.
Rapid7, which is urging organizations running versions of Fortinet FortiWeb that predate 8.0.2 to address the vulnerability on an emergency basis, said it observed an alleged zero-day exploit targeting FortiWeb was published for sale on a popular black hat forum on November 6, 2025. It's currently not clear if it's the same exploit.
"While we wait for a comment from Fortinet, users and enterprises are now facing a familiar process now: look for trivial signs of prior compromise, reach out to Fortinet for more information, and apply patches if you haven't already," Harris said. "That said, given the indiscriminate exploitation observed [...], appliances that remain unpatched are likely already compromised."
Update
Fortinet is now tracking the vulnerability as CVE-2025-64446 (CVSS score: 9.1), describing it as a relative path traversal vulnerability in FortiWeb that may allow an unauthenticated attacker to execute administrative commands on the system via crafted HTTP or HTTPS requests. The company also acknowledged that it has "observed this to be exploited in the wild."
The issue affects the following versions -
- FortiWeb 8.0.0 through 8.0.1 (Upgrade to 8.0.2 or above)
- FortiWeb 7.6.0 through 7.6.4 (Upgrade to 7.6.5 or above)
- FortiWeb 7.4.0 through 7.4.9 (Upgrade to 7.4.10 or above)
- FortiWeb 7.2.0 through 7.2.11 (Upgrade to 7.2.12 or above)
- FortiWeb 7.0.0 through 7.0.11 (Upgrade to 7.0.12 or above)
As workarounds, users are advised to disable HTTP or HTTPS for internet-facing interfaces until patches can be applied. It's also advised to review their configuration and review logs for unexpected modifications, or the addition of unauthorized administrator accounts.
"We are aware of this vulnerability and activated our PSIRT response and remediation efforts as soon as we learned of this matter, and those efforts remain ongoing,” a spokesperson for the company told The Hacker News.
“Fortinet diligently balances our commitment to the security of our customers and our culture of responsible transparency. With that goal and principle top of mind, we are communicating directly with affected customers to advise on any necessary recommended actions. We urge our customers to refer to the advisory and follow the guidance provided for CVE FG-IR-25-910."
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has also added the vulnerability to its Known Exploited Vulnerabilities (KEV) catalog, requiring Federal Civilian Executive Branch (FCEB) agencies to apply the fixes by November 21, 2025.
"Limiting access to HTTP/HTTPS management interfaces to internal networks is a best practice that reduces, but does not eliminate, risk; upgrading the affected systems remains essential and is the only way to fully remediate this vulnerability," the agency said in a separate advisory.
In a similar alert, cybersecurity company VulnCheck urged FortiWeb customers to reach out to the supplier for guidance on threat hunting and other indicators of compromise (IoCs). It also criticized Fortinet's security by obscurity approach.
"Silently patching vulnerabilities is an established bad practice that enables attackers and harms defenders, particularly for devices and systems (including FortiWeb) that have previously been exploited in the wild," VulnCheck's Caitlin Condon said. "When popular technology vendors fail to communicate new security issues, they are issuing an invitation to attackers while choosing to keep that same information from defenders."
(The story was amended after publication to include a response from Fortinet and details of CISA's advisory.)
