CVE-2025-64446: Critical Fortinet FortiWeb Path Traversal Vulnerability Exploited to Create Administrative Accounts

On November 13, 2025, open source reporting began detailing active exploitation of a silently patched Fortinet FortiWeb vulnerability. The flaw is a path traversal issue in the FortiWeb web application firewall (WAF) that allows an unauthenticated threat actor to create new administrative users on exposed devices. The following day, November 14, Fortinet officially addressed the vulnerability in an advisory, tracking it as CVE‑2025‑64446. 

Exploitation involves sending an HTTP POST request to /api/v2.0/cmdb/system/admin%3f/../../../../../cgi-bin/fwbcgi with a payload designed to create an administrative account. Attempts to exploit this vulnerability have been reported since at least early October. WatchTowr produced a working exploit and confirmed that it no longer functions on the latest version of FortiWeb (8.0.2). 

Threat actors are likely to continue targeting this vulnerability in the near future due to FortiWeb’s integration with other Fortinet products, which could provide access to additional systems and data. FortiWeb vulnerabilities have been exploited in the wild previously, including an instance in July 2025 when CVE‑2025‑25257 was targeted shortly after disclosure. 

Recommendations for CVE-2025-64446

Upgrade to Latest Fixed Version

Arctic Wolf strongly recommends that customers upgrade to the latest fixed version. 

Please follow your organization’s patching and testing guidelines to minimize potential operational impact. 

Remove FortiWeb Management Interface From Public Internet

Fortinet recommends disabling HTTP and HTTPS access to the FortiWeb Management Interface from the public internet to reduce your attack surface and limit the risk of remote exploitation from this or future vulnerabilities. 

References 

• First Observations of Exploitation
• Fortinet FortiWeb 8.0.2 Release Notes  
• PwnDefend Observations
• watchTowr Observations
• Exploit Video
• Fortinet Advisory