CVE-2025-64446 | Fortiweb | PT
| Vulnerability | CVE-2025-64446 |
|---|---|
| Type | Relative Path Traversal Vulnerability |
| Description | A path traversal vulnerability in multiple versions of Fortiweb. The adversary can send a simple crafted http request to traverse to fwbcgi executable and issue command as admin. |
| The Impact of the Bug | The vulnerability is not just path traversal, it is also authentication bypass as the fwbcgi executable does not authenticate users and accept identity as an input. Since in most cases the admin user is built-in user and it has consistent attributes, the adversary can impersonate the admin user and execute high privileged command. The vulnerability has been exploited in the wild. |
| How to detect if you have a vulnerable application to this attack vector? | - Check the version of Fortiweb. Vulnerable versions: - 8.0.0 through 8.0.1 - 7.6.0 through 7.6.4 - 7.4.0 through 7.4.9 - 7.2.0 through 7.2.11 - 7.0.0 through 7.0.11 - Response is 200 to http GET request for the path “/api/v2.0/cmd/system/admin%3F/../../../../../cgi-bin/fwbcgi” - Check web server logs for POST requests to the path “/api/v2.0/cmd/system/admin%3F/../../../../../cgi-bin/fwbcgi” to detect exploitation attempts |
| References | - https://fortiguard.fortinet.com/psirt/FG-IR-25-910 - https://github.com/sxyrxyy/CVE-2025-64446-FortiWeb-CGI-Bypass-PoC/tree/master - https://blog.qualys.com/vulnerabilities-threat-research/2025/11/14/unauthenticated-authentication-bypass-in-fortinet-fortiweb-cve-2025-64446-exploited-in-the-wild |