On 13 November 2025, open source reporting began detailing active exploitation of a silently patched Fortinet FortiWeb vulnerability. The flaw is a path traversal issue in the FortiWeb web application firewall (WAF) that allows an unauthenticated threat actor to create new administrative users on exposed devices. The following day, November 14, Fortinet officially addressed the vulnerability in an advisory, tracking it as CVE‑2025‑64446.
Exploitation involves sending an HTTP POST request to /api/v2.0/cmdb/system/admin%3f/../../../../../cgi-bin/fwbcgi with a payload designed to create an administrative account. Attempts to exploit this vulnerability have been reported since at least early October. WatchTowr produced a working exploit and confirmed that it no longer functions on the latest version of FortiWeb (8.0.2).
Threat actors are likely to continue targeting this vulnerability in the near future due to FortiWeb’s integration with other Fortinet products, which could provide access to additional systems and data. FortiWeb vulnerabilities have been exploited in the wild previously, including an instance in July 2025 when CVE‑2025‑25257 was targeted shortly after disclosure.
Recommendations for CVE-2025-64446
Upgrade to Latest Fixed Version
Arctic Wolf strongly recommends that customers upgrade to the latest fixed version.
| Product | Affected Version | Fixed Version |
| FortiWeb |
|
|
Please follow your organisation’s patching and testing guidelines to minimise potential operational impact.
Remove FortiWeb Management Interface From Public Internet
Fortinet recommends disabling HTTP and HTTPS access to the FortiWeb Management Interface from the public internet to reduce your attack surface and limit the risk of remote exploitation from this or future vulnerabilities.
References
