FortiWeb CVE-2025-64446: Path Traversal + CGI impersonation yields admin on-box

On November 14, 2025, watchTowr published a hands-on analysis of Fortinet FortiWeb CVE-2025-64446 showing an auth bypass chain: a path traversal to the fwbcgi binary, plus a crafted Base64-encoded CGIINFO header that causes user impersonation and enables privileged actions like creating local admin accounts (watchTowr write-up). Fortinet has issued PSIRT advisory FG-IR-25-910 for CVE-2025-64446, with fixes in 8.0.2 and corresponding maintenance branches; multiple CERTs note active exploitation (CERT-FR bulletin, Canadian Centre for Cyber Security alert, and NVD entry). (labs.watchtowr.com)