CVE-2025-64446: Authentication Bypass via Path Traversal in FortiWeb

CVE-2025-64446 is a severe path confusion vulnerability in the Fortinet FortiWeb GUI that results in an Authentication Bypass. This flaw allows an unauthenticated attacker to execute administrative commands on the system using crafted HTTP or HTTPS requests. Fortinet has observed this vulnerability being exploited in the wild.

Severity: Critical

Vulnerability Details

CVE-2025-64446 (CVSS Score: 9.1) is composed of two tightly connected flaws:

1. Relative Path Traversal (CWE-23)
   • Vulnerable URI pattern: /api/v2.0/cmdb/system/admin/../../../../../cgi-bin/fwbcgi
   • Allows redirection from a legitimate API path to the sensitive fwbcgi binary through ../ traversal sequences.
   • This bypasses intended access control and exposes sensitive back-end functionality.
     
2. Authentication Bypass via HTTP_CGIINFO Header
   • The fwbcgi binary accepts a Base64-encoded JSON blob in the HTTP_CGIINFO HTTP header.
   • Once decoded, this JSON lets the attacker impersonate any user, including admin, without needing valid credentials.

Exploitation Flow

1. Stage 1 – Path Traversal
   • Attacker sends a GET/POST request to a crafted API path that reaches the fwbcgi binary
   • If the request returns HTTP 200, the target is vulnerable; 403 means patched.
2. Stage 2 – Input Validation Bypass
   • The cgi_inputcheck() function only checks for valid JSON or skips validation entirely if no related file exists.
   • Minimal payload like {} passes the check.
3. Stage 3 – User Impersonation
   • cgi_auth() extracts and decodes the HTTP_CGIINFO header.
   • Attributes like username, profname, vdom, and loginname are applied directly.
   • Attacker is now impersonating an administrator & can perform any privileged action.
4. Stage 4 – Command Execution
   Final stage flows into cgi_process(), enabling actions like:
   • Creating new admin accounts.
   • Changing configurations.
   • Establishing persistence.

Indicators Of Exploitation

1. Unexpected admin account creation since early October 2025.
2. New local user accounts with prof_admin access profiles.
3. Accounts with trust host ranges set to 0.0.0.0/0 or ::/0
4. POST requests to /cgi-bin/fwbcgi with base64-encoded HTTP_CGIINFO headers.

Targeted Sectors And Financial Impact

• Targets: Manufacturing, educational institutions, information technology, healthcare and public health, financial services, and food and agriculture sectors are the most preferred targets.
• Financial Impact: As of late September 2025, the Akira ransomware group has reportedly collected approximately $244.17 million (USD) in ransom proceeds.
• Variants: Initially focused on Windows, the actors deployed a Linux variant targeting VMware ESXi virtual machines in April 2023, and have since expanded to encrypt Nutanix AHV VM disk files. They use the original C++ based Akira variant (with .akira extension) and a Rust-based “Megazord” encryptor (with .powerranges extension) interchangeably.

Attack Details

1. Initial Access: Primary access vector is VPN services lacking MFA, often by exploiting known vulnerabilities in Cisco products (multiple CVEs) or by stealing login credentials (e.g., from initial access brokers, brute-forcing SonicWall VPN). Other methods include spearphishing and exploiting unpatched Veeam backup servers.
2. Persistence & Privilege Escalation: Actors create new domain accounts (e.g., itadm) and add them to the administrator group for persistence. They harvest credentials using techniques like Kerberoasting and tools such as Mimikatz and LaZagne.
3. Defense Evasion: Security software is disabled, antivirus processes are terminated (using tools like Power Tool), and Endpoint Detection and Response (EDR) systems are uninstalled to evade detection.
4. Lateral Movement: Movement across the network is executed using legitimate remote access software like AnyDesk, LogMeIn, as well as RDP, SSH, and MobaXterm.
5. Exfiltration: Data is collected and compressed using tools like FileZilla and WinRAR, and then exfiltrated using utilities like WinSCP and RClone to cloud storage services (e.g., Mega).
6. Impact: The ransomware encrypts files using a hybrid encryption scheme. It executes PowerShell commands to delete Volume Shadow Copy Service (VSS) copies to inhibit system recovery efforts. The actors apply pressure by threatening to publish stolen data and have been observed contacting victims directly.

Affected & Fixed Versions

Version	Affected	Fixed
FortiWeb 8.0	8.0.0 through 8.0.1	8.0.2 or above
FortiWeb 7.6	7.6.0 through 7.6.4	7.6.5 or above
FortiWeb 7.4	7.4.0 through 7.4.9	7.4.10 or above
FortiWeb 7.2	7.2.0 through 7.2.11	7.2.12 or above
FortiWeb 7.0	7.0.0 through 7.0.11	7.0.12 or above

Recommendations

1. Immediately upgrade affected FortiWeb versions to the latest fixed versions.
2. Workaround: Disable HTTP or HTTPS for internet facing interfaces. Fortinet recommends taking this action until an upgrade can be performed.
3. Post-Upgrade Actions: Fortinet recommends customers to review their configuration and review logs for unexpected modifications, or the addition of unauthorized administrator accounts.

Source:

• https://fortiguard.fortinet.com/psirt/FG-IR-25-910
• https://labs.watchtowr.com/when-the-impersonation-function-gets-used-to-impersonate-users-fortinet-fortiweb-auth-bypass/
• https://blog.qualys.com/vulnerabilities-threat-research/2025/11/14/unauthenticated-authentication-bypass-in-fortinet-fortiweb-cve-2025-64446-exploited-in-the-wild

Enjoyed reading this Threat Intelligence Advisory? Stay updated with our latest exclusive content by following us on Twitter and LinkedIn

No related posts found.