Summary
A critical zero-day, CVE-2025-64446, path-traversal vulnerability in Fortinet FortiWeb, the company’s Web Application Firewall (WAF), is being actively exploited in the wild to create unauthorized administrator accounts on exposed systems.
This flaw allows unauthenticated attackers to gain complete administrator access to affected devices.
Exploitation of CVE-2025-64446 has been ongoing since early October 2025, however, the CVE name was assigned today, November 14, 2025.
Both watchTowr Labs and Rapid7 have verified the exploit, and public proof-of-concept (PoC) code is now circulating.
CVE-2025-64446 overview
The flaw resides in the FortiWeb endpoint:
/api/v2.0/cmdb/system/admin%3f/../../../../../cgi-bin/fwbcgi
Attackers send crafted HTTP POST requests to this path, creating local administrative users without authentication.
The vulnerability affects FortiWeb 8.0.1 and earlier and is patched in version 8.0.2, which now rejects exploitation attempts with an HTTP 403 Forbidden response.
Initial exploitation was observed by Defused on October 6 2025; activity has since escalated globally.
According to Bitsight Threat Intelligence
According to Bitsight Threat Intelligence — drawing on both internal telemetry and public reporting from Defused, watchTowr Labs, Rapid7, and BleepingComputer — the following activity has been observed:
- Active exploitation since October 2025, originating from IPs in the U.S., Europe, and Asia.
- Use of automated payloads that create admin accounts named “Testpoint,” “trader,” and “trader1”.
- Assigned passwords such as 3eMIXX43, AFT3$tH4ck, and AFT3$tH4ckmet0d4yaga!n.
- A PoC exploit released publicly and a tool from watchTowr Labs (“FortiWeb Authentication Bypass Artifact Generator”) to help defenders identify vulnerable systems.
- Rapid7 confirmed the exploit works against 8.0.1 and earlier and is blocked in 8.0.2.
CVE-2025-64446 technical overview
- Vulnerability type: Path Traversal → Authentication Bypass / Privilege Escalation
- Affected product: Fortinet FortiWeb 8.0.1 and earlier
- Bitsight DVE Score: 9.86
- Impact: Remote, unauthenticated administrator access
- Exploit behavior: Creates new admin accounts for persistence
- Mitigation indicator: HTTP 403 response on patched version 8.0.2
Why this matters
This zero-day directly compromises perimeter security control. Once exploited, attackers can modify or disable WAF rules, exfiltrate data, or pivot deeper into the network. Because Fortinet has not yet issued a formal CVE or advisory, organizations must act on community intelligence and proactive exposure management rather than waiting for vendor notification.