Fortinet is encouraging customers to apply a fix as quickly as possible for a critical path traversal flaw in its FortiWeb web application firewall that has been exploited in the wild for more than a month. 

That vulnerability (CVE-2025-64446) affects several versions of FortiWeb and CISA  has added it to its Known Exploited Vulnerabilities catalog. Fortinet has released fixes for all of the affected versions of FortiWeb, which include version 7.0, 7.2, 7.4, 7.6, and 8.0. The flaw is a relative path traversal vulnerability that enables an attacker to execute arbitrary code through a simple HTTP request. 

In an analysis of the vulnerability, Mayuresh Dani of Qualys said that there are two discrete flaws rolled up in this CVE. 

“The first stage exploits a path traversal weakness in the FortiWeb API. If a URI begins with a valid API path like /api/v2.0/cmdb/system/admin, an attacker can traverse to the underlying fwbcgi CGI executable,” Dani said. 

“The second stage abuses how FortiWeb’s fwbcgi binary handles authentication through the cgi_auth() function. This function doesn’t actually authenticate users. Instead, it accepts user identity information from the client via a base64-encoded CGIINFO HTTP header. Since the built-in admin account has consistent attributes across all FortiWeb devices that can’t be modified, threat actors can reliably impersonate this account by supplying the correct JSON structure.”

“Silently patching vulnerabilities is an established bad practice that enables attackers and harms defenders."

Fortinet originally patched this vulnerability silently without publishing an advisory, something that typically doesn’t sit very well with customers and researchers looking for context about the bug. 

“Silently patching vulnerabilities is an established bad practice that enables attackers and harms defenders, particularly for devices and systems (including FortiWeb) that have previously been exploited in the wild. We already know security by obscurity doesn't work; adversaries monitor new product releases and are actively reverse engineering patches regardless of whether suppliers tell their customers about fixed vulnerabilities or not,” Caitlin Condon, vice president of security research at VulnCheck, wrote in a good breakdown of the situation. 

Although Fortinet said the flaw has been exploited in the wild and CISA added it to the KEV, there is no other information on the exploitation activity or what organizations have been targeted thus far. For organizations that aren’t able to upgrade to a patched version immediately, Fortinet recommends disabling the HTTP interface. 

“Disable HTTP or HTTPS for internet facing interfaces. Fortinet recommends taking this action until an upgrade can be performed. If the HTTP/HTTPS Management interface is internally accessible only as per best practice, the risk is significantly reduced,” the company’s advisory says. 

  • Recent Posts

  • Recent Comments

    No comments to show.