Published On: Nov 24, 2025 15:18
Advisory No: TZCERT-SA-25-0118
Source: FORTINET
Software Affected: Fortinet FortiWeb version 8.0.0 through 8.0.1, Fortinet FortiWeb version 7.6.0 through 7.6.4, Fortinet FortiWeb version 7.4.0 through 7.4.9, Fortinet FortiWeb version 7.2.0 through 7.2.11 and Fortinet FortiWeb version 7.0.0 through 7.0.11
A critical vulnerability has been discovered in Fortinet FortiWeb (WAF appliance) that allows an unauthenticated attacker to execute administrative commands by exploiting a path traversal and authentication bypass flaw in the management interface. This vulnerability is actively exploited and listed in the CISA Know Exploited Vulnerabilities (KEV) Catalogue.
The vulnerability, CVE-2025-64446, arises from a relative path traversal flaw combined with authentication bypass logic in FortiWeb’s API/GUI management interface.
An attacker sends a crafted HTTP/HTTPS POST request to a vulnerable endpoint (for example: /api/v2.0/cmdb/system/admin%3f/../../../../../cgi-bin/fwbcgi) which bypasses intended authentication controls and reaches a legacy CGI handler.
Through this access, the attacker can create administrative accounts, modify configuration, execute arbitrary commands on the device and pivot into the network.
Successful exploitation of this vulnerability can result in:
· Full administrative control of the FortiWeb appliance.
· Potential exposure of all web-application firewall managed assets.
· Lateral movement opportunity into protected networks behind the WAF.
· Attackers may install backdoors, modify policies, disrupt services or exfiltrate sensitive data.
Severity:
· CVSS Score: 9.8 (Critical)
· Attack Vector: Network
· Privileges Required: None
· User Interaction: None
· Status: Actively Exploited
Fortinet has released a security patch for this vulnerability. Users and administrators are encouraged to apply necessary updates.
Indicators of Compromise (IoCs):
· Unexpected POST requests to URLs containing path-traversal sequences (e.g., /api/v2.0/cmdb/system/admin%3f/../../../../../cgi-bin/fwbcgi).
· New administrative accounts appearing on FortiWeb appliances without legitimate change.
A digest of Tanzania Computer Emergency Response Team coverage of cyber-security news across the globe.
