Security Alert: CVE-2025-64446 Fortinet FortiWeb Actively Exploited

Summary

A critical zero-day, CVE-2025-64446, path-traversal vulnerability in Fortinet FortiWeb, the company’s Web Application Firewall (WAF), is being actively exploited in the wild to create unauthorized administrator accounts on exposed systems.

This flaw allows unauthenticated attackers to gain complete administrator access to affected devices.

Exploitation of CVE-2025-64446 has been ongoing since early October 2025, however, the CVE name was assigned today, November 14, 2025.

Both watchTowr Labs and Rapid7 have verified the exploit, and public proof-of-concept (PoC) code is now circulating.

CVE-2025-64446 overview

The flaw resides in the FortiWeb endpoint:

/api/v2.0/cmdb/system/admin%3f/../../../../../cgi-bin/fwbcgi

Attackers send crafted HTTP POST requests to this path, creating local administrative users without authentication.

The vulnerability affects FortiWeb 8.0.1 and earlier and is patched in version 8.0.2, which now rejects exploitation attempts with an HTTP 403 Forbidden response.

Initial exploitation was observed by Defused on October 6 2025; activity has since escalated globally.

According to Bitsight Threat Intelligence

According to Bitsight Threat Intelligence — drawing on both internal telemetry and public reporting from Defused, watchTowr Labs, Rapid7, and BleepingComputer — the following activity has been observed:

• Active exploitation since October 2025, originating from IPs in the U.S., Europe, and Asia.
• Use of automated payloads that create admin accounts named “Testpoint,” “trader,” and “trader1”.
• Assigned passwords such as 3eMIXX43, AFT3$tH4ck, and AFT3$tH4ckmet0d4yaga!n.
• A PoC exploit released publicly and a tool from watchTowr Labs (“FortiWeb Authentication Bypass Artifact Generator”) to help defenders identify vulnerable systems.
• Rapid7 confirmed the exploit works against 8.0.1 and earlier and is blocked in 8.0.2.

CVE-2025-64446 technical overview

• Vulnerability type: Path Traversal → Authentication Bypass / Privilege Escalation
• Affected product: Fortinet FortiWeb 8.0.1 and earlier
• Bitsight DVE Score: 9.86
• Impact: Remote, unauthenticated administrator access
• Exploit behavior: Creates new admin accounts for persistence
• Mitigation indicator: HTTP 403 response on patched version 8.0.2

Why this matters

This zero-day directly compromises perimeter security control. Once exploited, attackers can modify or disable WAF rules, exfiltrate data, or pivot deeper into the network. Because Fortinet has not yet issued a formal CVE or advisory, organizations must act on community intelligence and proactive exposure management rather than waiting for vendor notification.

CVE-2025-64446 impact to organizations

Unpatched FortiWeb systems are at high risk of complete compromise, including:

• Unauthorized administrative access and persistent backdoors
• Modification or disabling of security policies
• Potential data interception and application layer manipulation
• Expanded attack surface for lateral movement

Given the global scanning activity, unpatched and publicly exposed FortiWeb systems are at immediate and high risk of compromise.

Recommendations

1. Update to FortiWeb version 8.0.2 or later immediately.
   • This version has been observed to block current exploit paths and return an HTTP 403 Forbidden response.
2. Remove management interfaces from public internet exposure.
   • Restrict access to internal networks or secure VPNs only.
3. Review for indicators of compromise, including:
   • Newly created or unknown admin accounts (e.g., “hax0r”)
   • Unexplained configuration or rule changes
4. Conduct a full incident investigation if suspicious accounts or activity are identified.
5. Monitor Fortinet’s PSIRT feed for a forthcoming advisory, CVE assignment, or updated mitigation guidance.

Threat landscape and context

This campaign exemplifies the trend of attackers targeting edge security devices to gain privileged network access.

The FortiWeb incident joins a series of recent Fortinet vulnerability exploits and reinforces that perimeter security devices require the same patch urgency as endpoints and servers.

Observed credentials used in exploitation attempts

Security researchers have identified the following hard-coded administrator usernames and passwords being leveraged during exploitation of the FortiWeb zero-day vulnerability. These appear to be used by attackers to automate unauthorized login or persistence mechanisms on compromised devices:

• Testpoint / AFodIUU3Sszp5
• trader1 / 3eMIXX43
• trader / 3eMIXX43
• test1234point / AFT3$tH4ck
• Testpoint / AFT3$tH4ck
• Testpoint / AFT3$tH4ckmet0d4yaga!n

Note: These credentials have been observed in attacker toolkits and proof-of-concept exploits.

Organizations should search their FortiWeb logs and configurations for any accounts using these usernames or password hashes as potential indicators of compromise (IOCs).

How Bitsight TI and TPRM support you

Bitsight Threat Intelligence (TI) and Third-Party Risk Management (TPRM) help organizations detect and prioritize exposure to critical vulnerabilities like this one by:

• Identifying internet-facing FortiWeb assets and vendors running affected versions.
• Correlating threat activity with Bitsight’s external risk data.
• Delivering continuous monitoring for emerging zero-day exploitation trends.

Conclusion / call to action

The FortiWeb zero-day is active, global, and escalating.

Any organization running FortiWeb 8.0.1 or earlier should assume potential compromise if management interfaces were publicly accessible since October 2025.

Immediate actions:

• Patch to 8.0.2 or later
• Restrict management interface exposure
• Search for unauthorized admin accounts and IOC credentials

Bitsight will continue monitoring this vulnerability and provide updates as new intelligence emerges.

Act now: verify, patch, and validate your exposure.

For more information, be sure to check out our Behind the Headlines report.