CVE-2025-64446: Critical Fortinet FortiWeb Path Traversal Vulnerability Exploited to Create Administrative Accounts

On November 13, 2025,?open source reporting?began detailing active exploitation of a silently patched Fortinet?FortiWeb?vulnerability.

On November 13, 2025,??began detailing active exploitation of a silently patched Fortinet?FortiWeb?vulnerability. The flaw is a path traversal issue in the?FortiWeb?web application?firewall?(WAF) that allows an unauthenticated threat actor to create new administrative users on exposed devices. The following day, November 14,??officially addressed the vulnerability in an advisory, tracking it as CVE?2025?64446.?

Exploitation involves sending an HTTP POST request to /api/v2.0/cmdb/system/admin%3f/../../../../../cgi-bin/fwbcgi?with a payload designed to create an administrative account. Attempts to exploit this vulnerability have been reported since at least?.?WatchTowr?produced a working exploit and confirmed that it no longer functions on the latest version of?FortiWeb?(8.0.2).?

Threat actors are likely to continue targeting this vulnerability in the near future due to?FortiWeb��s?integration with other Fortinet products, which could provide access to additional systems and data.?FortiWeb?vulnerabilities have been exploited in the wild previously, including an instance in July 2025 when CVE?2025?25257 was targeted shortly after disclosure.?

Recommendations for CVE-2025-64446

Upgrade to Latest Fixed Version

Arctic Wolf strongly recommends that customers upgrade to the latest fixed version.?

Product?

Affected Version?

Fixed Version?

FortiWeb?

8.0.0 through 8.0.1?

7.6.0 through 7.6.4?

7.4.0 through 7.4.9?

7.2.0 through 7.2.11?

7.0.0 through 7.0.11?

8.0.2 or above?

7.6.5 or above?

7.4.10 or above?

7.2.12 or above?

7.0.12 or above?

Please follow your organization’s patching and testing guidelines to minimize potential operational impact.?

Remove?FortiWeb?Management Interface?From?Public Internet

Fortinet recommends disabling HTTP and HTTPS access to the?FortiWeb?Management Interface from the public internet to reduce your attack surface and limit the risk of remote exploitation from this or future vulnerabilities.?

References?

? 2026 ��. All Rights Reserved.
Privacy Notice	Terms of Use	Cookie Policy	Accessibility Statement	Information Security	Sustainability Statement	Cookies Settings

������

Agentic SOC

Journey

Reduce Attack Frequency

Reduce Attack Severity

Transfer Risk

Get Started

Why Arctic Wolf

Expertise by Topic

Incident Response Timelines

Expertise by Industry

Resource Center

Trending Resources

The Arctic Wolf Threat Report draws upon the first-hand experience of our security experts, augmented by research from our threat intelligence team.

The Arctic Wolf State of Cybersecurity: 2025 Trends Report serves as an opportunity for decision makers to share their experiences over the past 12 months and their perspectives on some of the most important issues shaping the IT and security landscape.

Join Arctic Wolf on an interactive journey to discover a better path past the hazards of the modern threat landscape.

Security Bulletins

Microsoft Patch Tuesday: April 2026?

CVE-2026-35616: Fortinet Releases Hotfix for Critical Exploited Vulnerability in FortiClient EMS

CVE-2026-2699 & CVE-2026-2701: Progress ShareFile Storage Zones Controller Pre-Auth RCE Chain

Partners

Company

Careers

Press

Brand Partnerships