FortiWeb Authentication Bypass Vulnerability Exploited in the Wild

The vulnerability exists due to a flaw in the validation checks in the HTTP requests used to authenticate API callers. By supplying a handcrafted HTTP_CGIINFO header, an attacker can impersonate any user, including the built-in admin, and inherit their full privileges.

CVE

CVE-2025-64446

Affected Products

• FortiWeb 8.0.0 through 8.0.1
• FortiWeb 7.6.0 through 7.6.4
• FortiWeb 7.4.0 through 7.4.9
• FortiWeb 7.2.0 through 7.2.11
• FortiWeb 7.0.0 through 7.0.11

Exploitation

Fortinet has observed this to be exploited in the wild[1].

Recommended Actions

Fortinet recommends disabling HTTP or HTTPS for internet facing interfaces until an upgrade can be performed. If the HTTP/HTTPS Management interface is internally accessible only as per best practice, the risk is significantly reduced[1].

Truesec recommends that customers running any of the vulnerable FortiWeb versions reviews their configurations and logs for unexpected modifications and if there has been any suspicious additions of unauthorized administrator accounts.

Upgrade table[1][2]:

• FortiWeb 8.0 Upgrade to 8.0.2 or above
• FortiWeb 7.6 Upgrade to 7.6.5 or above
• FortiWeb 7.4 Upgrade to 7.4.10 or above
• FortiWeb 7.2 Upgrade to 7.2.12 or above
• FortiWeb 7.0 Upgrade to 7.0.12 or above

Detection

Run the following request to see if you are vulnerable[2]:

GET /api/v2.0/cmdb/system/admin/../../../../../cgi-bin/fwbcgi HTTP/1.1

Host: 192.168.9.1

Connection: keep-alive

If the request returns HTTP 200, the vulnerability is present.

If the request returns HTTP 403, the vulnerability has been patched.

References

[1] https://fortiguard.fortinet.com/psirt/FG-IR-25-910

[2] https://labs.watchtowr.com/when-the-impersonation-function-gets-used-to-impersonate-users-fortinet-fortiweb-auth-bypass/