FortiWeb CVE-2025-64446 is being mass‑exploited; hunt for admin impersonation and ClickFix over finger.exe

November 17, 2025 (Last Modified: November 17, 2025)

4n6 Beat

4 min read

A concise IR playbook for the FortiWeb auth‑bypass now in the wild and a quick win for detecting ClickFix lures abusing finger.exe (TCP/79).

Fortinet has acknowledged active exploitation of a FortiWeb GUI path traversal that lets an unauthenticated attacker reach a CGI endpoint and impersonate users, including admins, to run privileged actions such as creating new administrator accounts (CVE-2025-64446) (Fortinet PSIRT FG-IR-25-910; NVD entry). SANS ISC’s Stormcast on November 17, 2025 highlighted widespread scanning and recommended treating exposed, unpatched appliances as compromised until proven otherwise (SANS Stormcast 2025-11-17). In parallel, ClickFix lures are leveraging Windows finger.exe to fetch follow-on commands over the legacy Finger protocol, making egress on TCP/79 a simple detection point (SANS ISC diary; BleepingComputer).

Intrusion Flow

Entry: FortiWeb management interface reachable (internet-facing or reachable by a foothold) on vulnerable versions. Fortinet lists 8.0.0-8.0.1, 7.6.0-7.6.4, 7.4.0-7.4.9, 7.2.0-7.2.11, and 7.0.0-7.0.11; fixed in 8.0.2, 7.6.5, 7.4.10, 7.2.12, 7.0.12 (Fortinet PSIRT).
Exploit: An attacker issues a request that starts on a valid API path and traverses to /cgi-bin/fwbcgi, for example:

GET /api/v2.0/cmdb/system/admin/../../../../../cgi-bin/fwbcgi
If reachable, fwbcgi accepts a Base64 JSON block via the CGIINFO header that the backend interprets as user attributes, enabling impersonation and privileged operations (watchTowr analysis).
Impact: Complete compromise of the appliance’s administrative plane; observed payloads create new admin users to persist (watchTowr; SANS ISC honeypot diary).
Observed at scale: CISA added CVE-2025-64446 to KEV on November 14, 2025 with a remediation due date of November 21, 2025 for U.S. civilian agencies (NVD KEV details).
Concurrent user compromise vector: ClickFix pages convince users to run one-liners; recent variants fetch commands via finger.exe over TCP/79, which is not proxy-aware and uses a fixed port (SANS ISC diary; background on ClickFix adoption: BleepingComputer).

Key Artifacts to Pull

FortiWeb (CLI/Support bundle):
- Full configuration and admin account list immediately after isolating management access. Fortinet explicitly advises reviewing logs for unauthorized admin additions post-upgrade (Fortinet PSIRT).
- HTTP access logs and reverse-proxy logs covering the management UI for requests to /api/v2.0/cmdb/.../cgi-bin/fwbcgi and any CGIINFO headers (watchTowr).
- System event/audit logs around user creation; SANS honeypot samples show JSON payloads that create prof_admin users (SANS ISC honeypot diary).
Enterprise telemetry around ClickFix:
- Windows Security 4688 (process creation) for executions of finger.exe, powershell.exe, cmd.exe spawned from browsers or Explorer (Microsoft 4688 documentation).
- PowerShell Script Block Logging (event ID 4104) to capture decoded one-liners invoked via ClickFix (PowerShell team guidance).
- Sysmon Event ID 3 for outbound connections to TCP/79 tied to user processes (Sysmon docs).

Detection Notes

FortiWeb HTTP indicators:
- Look for requests to /api/v2.0/cmdb/system/admin/../../../../../cgi-bin/fwbcgi (HTTP 200 suggests reachable pre-patch path) and headers named CGIINFO with Base64 JSON (watchTowr).
- Watch for user-agent patterns seen in scanning (e.g., python-urllib3) in management logs (watchTowr example request).
Quick network checks:
- Query netflow/Zeek for any egress to TCP/79. Legitimate Finger traffic should be near-zero in most enterprises; finger.exe is not proxy-aware and always uses port 79 (SANS ISC diary).
Example Splunk searches:
- Finger executions:
  
  index=windows (sourcetype=WinEventLog:Security EventCode=4688 OR source="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode IN (1)) New_Process_Name="*\\finger.exe"
- Egress on port 79 via Sysmon:
  
  index=windows sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=3 DestinationPort=79 | stats count by Computer, Image, DestinationIp
- FortiWeb exploit attempts via reverse proxy:
  
  index=proxy http_method IN (GET,POST) uri_query="*cgi-bin/fwbcgi*" OR uri_path="*/cgi-bin/fwbcgi*"

Response Guidance

Contain and harden first:
- Immediately restrict/disable HTTP/HTTPS admin exposure and allow management only from isolated admin networks; this is Fortinet’s stated workaround while patching (Fortinet PSIRT).
- If your device matched a vulnerable version and was exposed, do not rely on patching alone. Assume potential compromise and perform credential rotation for accounts used on or managed by the device, and invalidate all administrative sessions (SANS Stormcast; Fortinet PSIRT post-upgrade notes).
Patch/upgrade decisively:
- Upgrade FortiWeb to 8.0.2, 7.6.5, 7.4.10, 7.2.12, or 7.0.12 as applicable; confirm the endpoint now returns HTTP 403 for the watchTowr probe path (Fortinet PSIRT; watchTowr check).
Hunt and eradicate:
- Enumerate admin accounts on FortiWeb and review creation/changes since October 2025 when exploitation started being reported publicly (watchTowr; NVD timeline/KEV).
- Audit policies/rules for unauthorized changes and check for any downstream pivots (e.g., altered WAF rules, backend credential storage) consistent with admin-level control (Fortinet PSIRT).
ClickFix countermeasures:
- Block egress to TCP/79 unless there is a documented business need; the Finger protocol is fixed to this port and rarely used legitimately (SANS ISC diary).
- Enable Security 4688 command-line logging and PowerShell Script Block Logging 4104 to capture user-driven one-liners used by ClickFix (Microsoft 4688; PowerShell team).

Takeaways

Prioritize FortiWeb upgrades and remove public exposure of the admin interface; then validate no unauthorized admin was added and rotate credentials (Fortinet PSIRT).
Add a quick network control: block and alert on TCP/79 egress; investigate any finger.exe executions from user endpoints (SANS ISC diary).
Treat unpatched, exposed devices as potentially compromised and follow through with log review, session invalidation, and config integrity checks (SANS Stormcast).

Sources / References

SANS Stormcast 2025-11-17: FortiWeb vulnerability; Finger and ClickFix: https://isc.sans.edu/podcastdetail/9702
Fortinet PSIRT FG-IR-25-910 (CVE-2025-64446): https://fortiguard.fortinet.com/psirt/FG-IR-25-910
watchTowr Labs: FortiWeb auth bypass technical analysis: https://labs.watchtowr.com/when-the-impersonation-function-gets-used-to-impersonate-users-fortinet-fortiweb-auth-bypass/
SANS ISC diary: Honeypot FortiWeb CVE-2025-64446 Exploits: https://isc.sans.edu/diary/Honeypot%2BFortiWeb%2BCVE202564446%2BExploits/32486
NVD: CVE-2025-64446 (KEV details): https://nvd.nist.gov/vuln/detail/CVE-2025-64446
SANS ISC diary: Finger.exe & ClickFix: https://isc.sans.edu/forums/diary/Fingerexe%2BClickFix/32492/
BleepingComputer: Finger protocol abused in ClickFix: https://www.bleepingcomputer.com/news/security/decades-old-finger-protocol-abused-in-clickfix-malware-attacks/
Microsoft: Event ID 4688 process creation: https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4688
Microsoft Sysmon documentation (Event ID 3): https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon