Summary
In recent cybersecurity news, a critical zero-day vulnerability, identified as CVE-2025-64446, has emerged in Fortinet’s Web Application Firewall (WAF), FortiWeb. This path-traversal flaw is being actively exploited to create unauthorized administrator accounts on affected systems, allowing unauthenticated attackers to gain full administrator access.
Interestingly, this vulnerability has yet to be officially acknowledged by Fortinet, and it hasn’t been assigned a formal CVE number. Despite this, exploitation appears to have been underway since early October 2025. Security researchers, including watchTowr Labs and Rapid7, have confirmed its active exploitation, and public proof-of-concept (PoC) code is now circulating in the wild.
CVE-2025-64446 Overview
The critical security flaw exists within the FortiWeb endpoint, specifically at the following path:
/api/v2.0/cmdb/system/admin%3f/../../../../../cgi-bin/fwbcgi
Exploiting this vulnerability requires attackers to send crafted HTTP POST requests to the aforementioned path. This grants them the ability to create local administrative users without authentication, leading to severe security risks.
The vulnerability affects all versions of FortiWeb up to and including version 8.0.1. However, it has been addressed in the newly released version 8.0.2, which now rejects any exploitation attempts with an HTTP 403 Forbidden response. The activity linked to this exploit was first detected by Defused on October 6, 2025, and has since escalated to a global scale.
Insights from Bitsight Threat Intelligence
According to findings from Bitsight Threat Intelligence, based on telemetry and public disclosures, various significant trends surrounding this vulnerability have been identified:
- Exploitation activities have been ongoing since October 2025, with origins from IP addresses across the U.S., Europe, and Asia.
- Attackers are utilizing automated payloads to create admin accounts with names like “Testpoint,” “trader,” and “trader1.”
- Some of the assigned passwords include 3eMIXX43, AFT3$tH4ck, and AFT3$tH4ckmet0d4yaga!n.
- A public PoC has been released, alongside a tool by watchTowr Labs called the “FortiWeb Authentication Bypass Artifact Generator.” This tool aims to assist defenders in identifying vulnerable systems.
- Rapid7 has confirmed that the exploit is effective against versions 8.0.1 and earlier, while being blocked in 8.0.2.
CVE-2025-64446 Technical Overview
- Vulnerability type: Path Traversal → Authentication Bypass / Privilege Escalation
- Affected product: Fortinet FortiWeb 8.0.1 and earlier
- Impact: Remote, unauthenticated administrative access
- Exploit behavior: Creates new admin accounts for persistence
- Mitigation indicator: HTTP 403 response on patched version 8.0.2
Why This Matters
This zero-day vulnerability poses a direct threat to perimeter security controls. If exploited, attackers can manipulate or disable WAF rules, exfiltrate sensitive data, or pivot deeper into the network infrastructure. The lack of a formal CVE or advisory from Fortinet emphasizes the need for organizations to take proactive steps in exposure management and rely on community intelligence, instead of awaiting official notifications.
