FortiWeb CVE-2025-64446 is being mass‑exploited; hunt for admin impersonation and ClickFix over finger.exe
Fortinet has acknowledged active exploitation of a FortiWeb GUI path traversal that lets an unauthenticated attacker reach a CGI endpoint and impersonate users, including admins, to run privileged actions such as creating new administrator accounts (CVE-2025-64446) (Fortinet PSIRT FG-IR-25-910; NVD entry). SANS ISC’s Stormcast on November 17, 2025 highlighted widespread scanning and recommended treating exposed, unpatched appliances as compromised until proven otherwise (SANS Stormcast 2025-11-17). In parallel, ClickFix lures are leveraging Windows finger.exe to fetch follow-on commands over the legacy Finger protocol, making egress on TCP/79 a simple detection point (SANS ISC diary; BleepingComputer).