{“lastseen”:”2025-11-15T00:05:08″,”description”:”A critical authentication bypass vulnerability affecting Fortinet FortiWeb web application firewalls has been actively exploited since early October 2025. The vulnerability allows unauthenticated attackers to create admin accounts and gain complete control over vulnerable devices exposed to the internet. It is being officially tracked as CVE-2025-64446 with a CVSS v3.1 score of 9.8 (Critical). CISA has added CVE-2025-64446 to the CISA KEV catalog earlier today with a required remediation due date of November 21, 2025.\\n\\n## Technical Analysis:\\n\\nThe vulnerability actually involves two distinct flaws that work together to bypass authentication controls.\\n\\n### First: Path Traversal\\n\\nThe first stage exploits a path traversal weakness in the FortiWeb API. If a URI begins with a valid API path like \/api\/v2.0\/cmdb\/system\/admin, an attacker can traverse to the underlying fwbcgi CGI executable:\\n \\n \\n POST \/api\/v2.0\/cmd\/system\/admin%3F\/..\/..\/..\/..\/..\/cgi-bin\/fwbcgi HTTP\/1.1\\n\\n### Second: Impersonation Mechanism\\n\\nThe second stage abuses how FortiWeb’s fwbcgi binary handles authentication through the cgi_auth() function. This function doesn’t actually authenticate users. Instead, it accepts user identity information from the client via a base64-encoded CGIINFO HTTP header.\\n\\nThe function extracts four key fields from the decoded JSON:\\n\\n * username – target username\\n * profname – profile name\\n * vdom – virtual domain\\n * loginname – login identifier\\n\\n\\n\\nSince the built-in admin account has consistent attributes across all FortiWeb devices that can’t be modified, threat actors can reliably impersonate this account by supplying the correct JSON structure:\\n \\n \\n {\\n \u00a0 \\”username\\”: \\”admin\\”,\\n \u00a0 \\”profname\\”: \\”super_admin\\”,\\n \u00a0 \\”vdom\\”: \\”root\\”,\\n \u00a0 \\”loginname\\”: \\”admin\\”\\n }\\n\\nOnce the cgi_auth() function processes this header, all subsequent actions execute with full administrative privileges. The attacker can then issue any command, including creating persistent admin accounts with known credentials.\\n\\n## Affected Versions:\\n\\nThe following Fortinet FortiWeb versions are vulnerable:\\n\\n * FortiWeb 8.0.0 through 8.0.1\\n * FortiWeb 7.6.0 through 7.6.4\\n * FortiWeb 7.4.0 through 7.4.9\\n * FortiWeb 7.2.0 through 7.2.11\\n * FortiWeb 7.0.0 through 7.0.11\\n\\n\\n\\n## Qualys Detection Resources\\n\\nQualys customers will be able to scan their devices with the following QID to detect vulnerable assets once released around 5PM PST. These QIDs should be available in VULNSIGS-2_6_468 and onwards.\\n\\n * QID 733406: Fortinet FortiWeb Authentication Bypass Vulnerability (Intrusive Check)\\n * QID 733407: Fortinet FortiWeb Authentication Bypass Vulnerability (FG-IR-25-910)\\n\\n\\n\\n## Mitigation Recommendations\\n\\nCustomers should ensure that their Fortinet versions are updated to the following versions:\\n\\n * FortiWeb 8.0.2 or above\\n * FortiWeb 7.6.5 or above\\n * FortiWeb 7.4.10 or above\\n * FortiWeb 7.2.12 or above\\n * FortiWeb 7.0.12 or above\\n\\n\\n\\nTemporary Mitigation: Immediately disable HTTP\/HTTPS access on any internet-facing interfaces. This control should remain in place until the system is upgraded.\\n\\n## Indicators of Compromise:\\n\\nOrganizations running vulnerable versions should immediately check for:\\n\\n### Network-based IOCs:\\n\\n * POST requests to \/api\/v2.0\/cmd\/system\/admin%3F\/..\/..\/..\/..\/..\/cgi-bin\/fwbcgi or similar path traversal patterns from unauthorized IP addresses.\\n * Requests containing base64-encoded CGIINFO headers\\n\\n\\n\\n### Host-based IOCs:\\n\\n * Unknown administrator accounts created since early October 2025\\n * New local user accounts with prof_admin access profiles\\n * Accounts with trust host ranges set to 0.0.0.0\/0 or ::\/0 \\n\\n\\n\\n## Eliminating the Risk of These Vulnerabilities with the Qualys Enterprise TruRiskTM Platform\\n\\n### **Strengthen Your Security Posture with Qualys VMDR**\\n\\nQualys VMDR offers comprehensive coverage and visibility into vulnerabilities, empowering organizations to rapidly respond to, prioritize, and mitigate the associated risks.\\n\\nLeverage the power of Qualys VMDR alongside TruRiskTM scoring and the Qualys Query Language (QQL) to efficiently identify and prioritize vulnerable assets, effectively addressing the vulnerabilities highlighted above.\\n\\nUse this QQL statement:\\n \\n \\n vulnerabilities.vulnerability.cveIds:CVE-2025-64446\\n\\n\\n\\n* * *\\n\\n**Get Started with Qualys Solutions Today.**\\n\\nTry Today\\n\\n* * *”,”published”:”2025-11-15T00:01:08″,”modified”:”2025-11-15T00:01:08″,”type”:”qualysblog”,”title”:”Unauthenticated Authentication Bypass in Fortinet FortiWeb (CVE-2025-64446) Exploited in the Wild”,”source”:””,”references”:””,”id”:”QUALYSBLOG:78D78ACB6FCD64E06E3A6C46A78A6A24″,”bulletinFamily”:”blog”,”cwe”:null,”cvelist”:[“CVE-2025-64446″],”sourceData”:””,”sourceHref”:””,”cvss”:{“score”:9.8,”severity”:”CRITICAL”,”vector”:”CVSS:3.1\/AV:N\/AC:L\/PR:N\/UI:N\/S:U\/C:H\/I:H\/A:H”,”version”:”3.1″},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/blog.qualys.com\/category\/vulnerabilities-threat-research”,”category_name”:”News”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:”2025-11-15T00:05:08″,”description”:”A critical authentication bypass vulnerability affecting Fortinet FortiWeb web application firewalls has been actively exploited since early October 2025. The vulnerability allows unauthenticated attackers to…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4],"tags":[9,6,8,35,12,13,120,7,11,5],"class_list":["post-26356","post","type-post","status-publish","format-standard","hentry","category-category_news","tag-critical","tag-cve","tag-cvss","tag-cvss-98","tag-exploit","tag-news","tag-qualysblog","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n