Security researchers are warning about two critical vulnerabilities in Fortinet’s FortiWeb appliances, now tracked under CVE-2025-64446, being actively exploited in the wild.
According to findings published by watchTowr, one flaw allows unauthenticated actors to access internal CGI endpoints via relative path traversal, while the other authentication bypass issue lets them impersonate any administrator by abusing the “HTTP_CGIINFO” header.
Even more troubling is the apparent exploitation of the vulnerability in the wild for weeks before Fortinet’s advisory on November 14, making it a zero-day abuse. Fortinet reportedly shipped silent patches for the flaw via v8.0.2 after reports of exploitation started surfacing.
“Over the last few days, multiple security companies, CERTs, and individuals have sounded alarms about active exploitation of the silently patched vulnerability,” VulnCheck’s Caitlin Condon said in a blog post. “Fortinet has not published any information on why the vulnerability was silently patched and initially failed to receive a CVE or a security bulletin.”
The US Cybersecurity and Infrastructure Security Agency (CISA) has added the flaw to its Known Exploited Vulnerabilities (KEV) catalog, directing all federal civilian agencies to patch the flaw by November 21.
Path traversal along with admin-impersonation
The first half of the attack chain begins with a relative path traversal in the FortiWeb GUI/API handler. Researchers at Picus explain that requests under the “api/v2.0/” routing path can be manipulated using sequences like “../../../../../cgi-bin/fwbcgi”, thereby redirecting the call to the internal legacy CGI component instead of the intended API endpoint.
Effectively, the appliance’s Apache configuration forwards the crafted request into “fwbcgi,” bypassing expected protections.
Once the attacker reaches the CGI backend, they exploit a second design flaw–the cgi_auth() function blindly processes an “HTTP_CGIINFO” header provided by the client. The JSON fields in the header accept username, profname, vdom, and loginname without proper checks, resulting in an unauthenticated attacker impersonating any admin account and gaining full admin privileges.
Combined, these steps allow full remote code execution with no credentials. The path traversal opens the door, and the header spoofing sets the attack in motion. Fortinet assigned the flaw a severity rating of 9.1 out of 10, while researchers at Picus think it should be 9.8.
Fortinet did not immediately respond to CSO’s requests for comments on silent patching or under-rating the flaw.
Defense delayed due to silent patching
While Fortinet officially published an advisory for CVE-2025-64446 on November 14, 2025, the vendor’s earlier version release note made no mention of the vulnerability or the fix, leading to criticism that the patch was applied silently.
“Silently patching vulnerabilities is an established bad practice that enables attackers and harms defenders, particularly for devices and systems (including FortiWeb) that have previously been exploited in the wild,” Condon complained. “We already know security by obscurity doesn’t work; adversaries monitor new product releases and are actively reverse engineering patches regardless of whether suppliers tell their customers about fixed vulnerabilities or not.”
VulnCheck had reported nearly 300 internet-facing FortiWeb instances via Shodan and a broader ~2700 via FOFA, all potentially vulnerable.
Affected versions include 7.0.0 through 7.0.11, 7.2.0 through 7.2.11, 7.4.0 through 7.4.9, 7.6.0 through 7.6.4, and 8.0.0 through 8.0.1. Fixes are applied in releases 7.0.12, 7.2.12, 7.4.10, 7.6.5, and 8.0.2.
Fortinet recommends disabling HTTP or HTTPS for internet-facing interfaces for customers who cannot immediately upgrade. “If the HTTP/HTTPS Management interface is internally accessible only as per best practice, the risk is significantly reduced,“ the company added.
No Responses