FortiWeb CVE-2025-64446: Path Traversal + CGI impersonation yields admin on-box

On November 14, 2025, watchTowr published a hands-on analysis of Fortinet FortiWeb CVE-2025-64446 showing an auth bypass chain: a path traversal to the fwbcgi binary, plus a crafted Base64-encoded CGIINFO header that causes user impersonation and enables privileged actions like creating local admin accounts (watchTowr write-up). Fortinet has issued PSIRT advisory FG-IR-25-910 for CVE-2025-64446, with fixes in 8.0.2 and corresponding maintenance branches; multiple CERTs note active exploitation (CERT-FR bulletin, Canadian Centre for Cyber Security alert, and NVD entry). (labs.watchtowr.com)

Intrusion Flow

• Entry to management UI via HTTP(S): attackers send requests under a valid API prefix and traverse to fwbcgi, e.g. POST /api/v2.0/cmd/system/admin%3F/../../../../../cgi-bin/fwbcgi (watchTowr example). In patched builds, the same probe receives HTTP 403 (in vulnerable builds it’s 200), providing a quick discrimination check (watchTowr, BitSight summary). (labs.watchtowr.com)
• Authentication bypass via CGIINFO: fwbcgi reads HTTP_CGIINFO, Base64-decodes a JSON blob, and accepts supplied fields (username, profname, vdom, loginname) to set the login context-enabling impersonation of built-in admin and subsequent privileged actions (watchTowr reversing details). (labs.watchtowr.com)
• Post-exploitation activity: adversaries create local administrator accounts through the same channel; reported operator-chosen names include Testpoint and trader variations (watchTowr payload example, BitSight TI). (labs.watchtowr.com)

Key Artifacts to Pull

• FortiWeb event logs (local, FortiAnalyzer, or remote syslog): creation of admin accounts is log_id 00003401 (“A FortiWeb administrator created an administrator account”) with subtype=admin and action=add. Example includes user, ui, and source IP fields (Fortinet Log Message Reference). Also collect generic event/attack logs to reconstruct management actions and UI access (FortiWeb logging guide). (docs.fortinet.com)
• Network evidence: full-proxy, firewall, or sensor logs capturing requests to /api/v2.0/.../cgi-bin/fwbcgi and the HTTP_CGIINFO header. watchTowr’s PoC/detector shows the structure of traffic and account-creation POST bodies (watchTowr blog, watchTowr “detection artifact generator” repo). (labs.watchtowr.com)
• Configuration state: enumerate admin accounts and profiles to spot unauthorized additions or privilege changes; Fortinet’s CLI reference shows admin management under config system admin (and you can list/edit entries interactively) (FortiWeb CLI reference 8.0.2, system admin). (docs.fortinet.com)
• Context for benign-looking admin activity: Fortinet documents the special system user daemon_admin appearing in routine system events-do not misclassify those as attacker activity without corroboration (Fortinet community technical tip). (community.fortinet.com)

Detection Notes

• Simple exposure test (safe, read-only): send a GET for /api/v2.0/cmdb/system/admin/../../../../../cgi-bin/fwbcgi. HTTP 200 implies vulnerable; HTTP 403 implies patched, per watchTowr’s lab validation (watchTowr quick check). Use only from an authorized scanner. (labs.watchtowr.com)
• SIEM hunting queries (reverse proxies / WAF / load balancers):
  • Look for URIs containing both /api/v2.0/ and /cgi-bin/fwbcgi and the presence of an HTTP header CGIINFO.
  • Flag POSTs with JSON bodies to admin CMDB/cmd paths followed by HTTP 200/201.
  • Watch for user-agent automation (e.g., python-urllib3) from untrusted sources seen in watchTowr captures (watchTowr). (labs.watchtowr.com)
• Example Sigma (web/proxy logs):

title: FortiWeb CVE-2025-64446 fwbcgi impersonation attempt
status: experimental
description: Detects path-traversal to fwbcgi plus CGIINFO header
logsource:
  category: proxy
  product: webserver
  service: http
_detection_:
  selection_uri:
    cs-uri-stem|contains: "/api/v2.0/"
  selection_fwbcgi:
    cs-uri-stem|contains: "/cgi-bin/fwbcgi"
  selection_hdr:
    request_headers|contains: "CGIINFO"
  condition: selection_uri and selection_fwbcgi and selection_hdr
fields:
  - c-ip
  - cs-host
  - cs-method
  - cs-uri-stem
  - request_headers
falsepositives:
  - none known (management UI only)
level: high

• Example Suricata (tune for your env):

alert http any any -> $HOME_NET 443 (
  msg:"FortiWeb CVE-2025-64446 fwbcgi traversal + CGIINFO";
  flow:to_server,established;
  http.method; content:"POST"; nocase;
  http.uri; content:"/api/v2.0/"; http.uri; content:"/cgi-bin/fwbcgi";
  http.header; content:"CGIINFO"; nocase;
  classtype:web-application-attack; sid:10064446; rev:1;)

• Device-side indicators: admin additions (log_id 00003401), unusual admin profile changes, and logons from unexpected sources. Fortinet’s log reference and logging guide detail fields and severities to pivot on (log_id 00003401, logging types/severity). (docs.fortinet.com)

Response Guidance

• Patch priority: upgrade FortiWeb immediately to a fixed version. Multiple advisories list 8.0.2 (and 7.6.5/7.4.10/7.2.12/7.0.12) as remediations for CVE-2025-64446 (CERT-FR summary and PSIRT ref, Canadian Cyber Centre AL25-017). If you can’t patch immediately, disable internet-facing HTTP/HTTPS administrative access as an interim control (Help Net Security recap of vendor guidance). (cert.ssi.gouv.fr)
• Hunt now for successful exploitation: search for POSTs to /api/v2.0/.../cgi-bin/fwbcgi with HTTP_CGIINFO and review event logs for unauthorized admin creations. The watchTowr request specimen and tool can help validate signals (watchTowr blog, watchTowr GitHub detector). (labs.watchtowr.com)
• Contain compromised appliances: if exploitation is confirmed, remove management exposure, rotate all local admin passwords, revoke and re-issue any API keys or certificates used for administrative login, and review configuration for persistence (new users, scheduled tasks). Fortinet’s CLI reference details where admin accounts live (config system admin) to support verification and cleanup (FortiWeb CLI reference). (docs.fortinet.com)
• Validate remediation: re-run the watchTowr “200 vs 403” probe to confirm the patch state post-upgrade (watchTowr quick check). Also monitor vendor PSIRT and national CERT channels for updates (Fortinet PSIRT index, CERT-FR, Cyber Centre). (labs.watchtowr.com)
• Compliance timelines: public reporting indicates CVE-2025-64446 was added to KEV on November 14, 2025; if you operate under policies aligned to KEV due dates, update risk tracking accordingly (Canadian Cyber Centre citing KEV addition). (cyber.gc.ca)

Takeaways

• Prioritize upgrades to FortiWeb 8.0.2 (or 7.6.5/7.4.10/7.2.12/7.0.12) and restrict management-plane exposure. Validate with the 403 probe. (CERT-FR, watchTowr). (cert.ssi.gouv.fr)
• Hunt your telemetry now for /api/v2.0/.../cgi-bin/fwbcgi plus HTTP_CGIINFO; triage any admin creations (log_id 00003401). (watchTowr, Fortinet log ref). (labs.watchtowr.com)
• Assume appliance compromise if exploitation is confirmed; rotate credentials, remove rogue admins, and review for persistence via config inspection (config system admin). (FortiWeb CLI reference). (docs.fortinet.com)