Pierluigi Paganini November 15, 2025

U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds Fortinet FortiWeb flaw to its Known Exploited Vulnerabilities catalog.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added a Fortinet FortiWeb flaw, tracked as CVE-2025-64446  (CVSS score of 9.1), to its Known Exploited Vulnerabilities (KEV) catalog.

The vulnerability is a relative path traversal issue in Fortinet FortiWeb 8.0.0 through 8.0.1, FortiWeb 7.6.0 through 7.6.4, FortiWeb 7.4.0 through 7.4.9, FortiWeb 7.2.0 through 7.2.11, FortiWeb 7.0.0 through 7.0.11. An attacker can exploit the flaw to execute administrative commands on the system by sending crafted HTTP or HTTPS requests to vulnerable devices.

“A relative path traversal vulnerability [CWE-23] in FortiWeb may allow an unauthenticated attacker to execute administrative commands on the system via crafted HTTP or HTTPS requests.” reads the advisory. “Fortinet has observed this to be exploited in the wild”

The cybersecurity vendor recommends disabling HTTP/HTTPS on internet-facing interfaces until upgrading. If management access is internal only, the risk is greatly reduced.

According to Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities, FCEB agencies have to address the identified vulnerabilities by the due date to protect their networks against attacks exploiting the flaws in the catalog.

Experts also recommend that private organizations review the Catalog and address the vulnerabilities in their infrastructure.

CISA orders federal agencies to fix the vulnerabilities by November 21, 2025.

This week, researchers warned of an authentication bypass flaw in Fortinet FortiWeb WAF that allows full device takeover. The cybersecurity vendor addressed the vulnerability with the release version 8.0.2.

The security flaw lets anyone break into FortiWeb devices and get full admin control. The issue was publicly disclosed after Defused shared a PoC on October 6, 2025, following real attack attempts captured by its honeypot.

watchTowr Labs confirmed the FortiWeb exploit and published the video PoC on X. The team also released a tool, the “FortiWeb Authentication Bypass Artifact Generator,” which tries to exploit the flaw by creating an admin account with a random 8-character username.

Defused and researcher Daniel Card report that attackers are exploiting the flaw by sending a crafted HTTP POST request to “/api/v2.0/cmdb/system/admin%3F/../../../../../cgi-bin/fwbcgi” to create a new admin account.

“So this is already public and already being sprayed over the internet, there’s always a concern here when we think about how much intel to share/publish etc. So I’m not going to write the full details but I will give enough to help with detection logic (someone else is free to do more, that’s their own choice!)” Card explained.

The TA appears to send a payload to the following URL Endpoint via an HTTP POST request

/api/v2.0/cmdb/system/admin%3F/../../../../../cgi-bin/fwbcgi

Inside this is a payload to create a user account.”

Card extracted the following credentials from the payloads:

At this time, it is unclear who is behind the exploitation attempts.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, CISA)