{"id":5848,"date":"2025-11-18T12:05:35","date_gmt":"2025-11-18T12:05:35","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=5848"},"modified":"2025-11-18T12:05:35","modified_gmt":"2025-11-18T12:05:35","slug":"fortinets-silent-patch-sparks-alarm-as-a-critical-fortiweb-flaw-is-exploited-in-the-wild","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=5848","title":{"rendered":"Fortinet\u2019s silent patch sparks alarm as a critical FortiWeb flaw is exploited in the wild"},"content":{"rendered":"
\n
\n
\n
\n
<\/div>\n

Security researchers are warning about two critical vulnerabilities in Fortinet\u2019s FortiWeb appliances, now tracked under CVE-2025-64446, being actively exploited in the wild.<\/p>\n

According to findings<\/a> published by watchTowr, one flaw allows unauthenticated actors to access internal CGI endpoints via relative path traversal, while the other authentication bypass issue lets them impersonate any administrator by abusing the \u201cHTTP_CGIINFO\u201d header.<\/p>\n

Even more troubling is the apparent exploitation of the vulnerability in the wild for weeks before Fortinet\u2019s advisory<\/a> on November 14, making it a zero-day<\/a> abuse. Fortinet reportedly shipped silent patches for the flaw via v8.0.2 after reports of exploitation started surfacing.<\/p>\n

\u201cOver the last few days, multiple security companies, CERTs, and individuals have sounded alarms about active exploitation of the silently patched vulnerability,\u201d VulnCheck\u2019s Caitlin Condon said in a blog post<\/a>. \u201cFortinet has not published any information on why the vulnerability was silently patched and initially failed to receive a CVE or a security bulletin.\u201d<\/p>\n

The US Cybersecurity and Infrastructure Security Agency (CISA) has added<\/a> the flaw to its Known Exploited Vulnerabilities (KEV) catalog, directing all federal civilian agencies to patch the flaw by November 21.<\/p>\n

<\/a>Path traversal along with admin-impersonation<\/h2>\n

The first half of the attack chain begins with a relative path traversal in the FortiWeb GUI\/API handler. Researchers at Picus explain<\/a> that requests under the \u201capi\/v2.0\/\u201d routing path can be manipulated using sequences like \u201c..\/..\/..\/..\/..\/cgi-bin\/fwbcgi\u201d, thereby redirecting the call to the internal legacy CGI component instead of the intended API endpoint.<\/p>\n

Effectively, the appliance\u2019s Apache configuration forwards the crafted request into \u201cfwbcgi,\u201d bypassing expected protections.<\/p>\n

Once the attacker reaches the CGI backend, they exploit a second design flaw\u2013the cgi_auth() function blindly processes an \u201cHTTP_CGIINFO\u201d header provided by the client. The JSON fields in the header accept username, profname, vdom, and loginname without proper checks, resulting in an unauthenticated attacker impersonating any admin account and gaining full admin privileges<\/a>.<\/p>\n

Combined, these steps allow full remote code execution with no credentials. The path traversal opens the door, and the header spoofing sets the attack in motion. Fortinet assigned the flaw a severity rating of 9.1 out of 10, while researchers at Picus think it should be 9.8.<\/p>\n

Fortinet did not immediately respond to CSO\u2019s requests for comments on silent patching or under-rating the flaw.<\/p>\n

<\/a>Defense delayed due to silent patching<\/h2>\n

While Fortinet officially published an advisory for CVE-2025-64446<\/a> on November 14, 2025, the vendor\u2019s earlier version release note<\/a> made no mention of the vulnerability or the fix, leading to criticism that the patch was applied silently.<\/p>\n

\u201cSilently patching vulnerabilities is an established bad practice that enables attackers and harms defenders, particularly for devices and systems (including FortiWeb) that have previously been exploited in the wild,\u201d Condon complained. \u201cWe already know security by obscurity doesn\u2019t work; adversaries monitor new product releases and are actively reverse engineering patches regardless of whether suppliers tell their customers about fixed vulnerabilities or not.\u201d<\/p>\n

VulnCheck had reported nearly 300 internet-facing FortiWeb instances via Shodan and a broader ~2700 via FOFA, all potentially vulnerable.<\/p>\n

Affected versions include 7.0.0 through 7.0.11, 7.2.0 through 7.2.11, 7.4.0 through 7.4.9, 7.6.0 through 7.6.4, and 8.0.0 through 8.0.1. Fixes are applied in releases 7.0.12, 7.2.12, 7.4.10, 7.6.5, and 8.0.2. <\/p>\n

Fortinet recommends disabling HTTP or HTTPS for internet-facing interfaces for customers who cannot immediately upgrade. \u201cIf the HTTP\/HTTPS Management interface is internally accessible only as per best practice, the risk is significantly reduced,\u201c the company added.<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"

Security researchers are warning about two critical vulnerabilities in Fortinet\u2019s FortiWeb appliances, now tracked under CVE-2025-64446, being actively exploited in the wild. According to findings published by watchTowr, one flaw allows unauthenticated actors to access internal CGI endpoints via relative path traversal, while the other authentication bypass issue lets them impersonate any administrator by abusing […]<\/p>\n","protected":false},"author":0,"featured_media":5849,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-5848","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/5848"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=5848"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/5848\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/5849"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=5848"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=5848"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=5848"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}