Fortinet FortiWeb unauthenticated exploit

26 Nov 2025

Fortinet FortiWeb unauthenticated exploit

Situation

In November 2025, two serious vulnerabilities affecting Fortinet FortiWeb appliances came to light. The first, CVE 2025 64446, is a relative path traversal flaw that allows unauthenticated attackers to send crafted HTTP(S) requests to create administrative accounts and run system-level commands. The second, CVE 2025 58034, is an OS command injection vulnerability that permits authenticated attackers to execute arbitrary commands on the underlying operating system via CLI or HTTP-based interfaces. Both vulnerabilities are being actively exploited in the wild. Fortinet has released patches, and security agencies, including CISA, have added these CVEs to their Known Exploited Vulnerabilities (KEV) catalogs, imposing tight deadlines for remediation.

Problem

CVE 2025 64446 arises due to a relative path traversal vulnerability (CWE 23) in certain versions of FortiWeb. This flaw lets an attacker craft HTTP or HTTPS requests that manipulate file paths (“..” sequences) in a way that escapes normal directory restrictions on the device. Because of this traversal, the attacker can reach administrative parts of the system (such as CGI or WebSocket CLI) that should not otherwise be accessible, allowing them to execute administrative commands, create new admin accounts, or otherwise take control without prior authentication. Affected versions include FortiWeb 7.0.x, 7.2.x, 7.4.x, 7.6.x, and 8.0.x (up to certain subversions). The vulnerability has a very high severity, with a CVSS v3.1 score of 9.8, as reported by several sources. CVE 2025 58034, by contrast, is a different type of issue: an OS command injection (CWE 78). It requires authentication, meaning an attacker must already have valid credentials. Within the FortiWeb system (via its HTTP API or CLI), the attacker can submit specially crafted input that is improperly sanitized, and that input ends up being interpreted as a system-level command. Once exploited, the attacker may run arbitrary commands, potentially at a high privilege level. Fortinet has confirmed active exploitation, and the affected versions are similar (7.0.x, 7.2.x, 7.4.x, 7.6.x, 8.0.x, within certain subversions).

Risk & Impact

When considered together, these two vulnerabilities form a highly dangerous attack chain, because they lower two critical barriers:

  • Initial Access & Privilege Escalation
    • CVE 2025 64446 allows an unauthenticated attacker to create admin accounts. Once he or she has an admin account, they can gain persistent, high-level access to the FortiWeb management interface.
    • After obtaining admin privileges, the attacker could then use CVE 2025 58034 to inject OS commands, thereby gaining full control over the appliance.
  • Full System Compromise
    • Exploiting CVE 2025 58034 allows command execution at the OS level, enabling the attacker to install backdoors, change configurations, disable detections, or exfiltrate data.
    • If both CVEs are exploited in tandem, the attacker could not only establish persistence but also deeply manipulate or disrupt the Web Application Firewall (WAF) itself, potentially undermining its core mission of protecting web applications.
  • Lateral Movement & Defense Evasion
    • A compromised FortiWeb device, especially one that controls or monitors web traffic, provides a powerful pivot point into other parts of an organization’s network.
    • The attacker may also disable or bypass WAF rules, making it easier to stage further attacks on protected applications.
  • Operational & Compliance Risk
    • Because both vulnerabilities are actively exploited, there is a real and present threat to organizations running vulnerable versions.
    • Regulatory risk is also high: CISA has added both to its KEV catalog.
    • The impact on confidentiality (access to config files, logs), integrity (ability to alter WAF rules), and availability (potential disruption) is severe.

Mitigation/Prevention

To mitigate these risks, organizations should take immediate action and also plan for long-term security hardening.

Immediate Remediation:
  • Patch FortiWeb devices to the latest versions as recommended by Fortinet:
    • For CVE 2025 64446, upgrade to versions that fix the path traversal vulnerability. According to advisories, this means at least FortiWeb 8.0.2, 7.6.5, 7.4.10, 7.2.12, or 7.0.12 depending on your current version.
    • For CVE 2025 58034, also upgrade to the patched versions (same version lines apply) to remove the command-injection exposure.
  • Restrict management interfaces (HTTP/HTTPS or CLI) so that only trusted internal networks or VPNs can access them. This reduces the risk of both vulnerabilities being exploited from external sources.
  • Disable internet-facing HTTP/HTTPS on devices that cannot be patched immediately, especially for CVE 2025 64446 scenarios where a remote unauthenticated attacker could exploit the flaw.

  Security Hardening & Long-Term Measures:
  • Enforce strong authentication for administrative accounts, including multi-factor authentication (MFA), to reduce the risk that an attacker can leverage weak or stolen credentials.
  • Apply the principle of least privilege: only give users the rights they strictly need; avoid giving broad admin privileges when not necessary.
  • Audit admin accounts: once patched, perform a review of any newly created or unexpected accounts (especially from before patching) to ensure no rogue accounts were created.
  • Monitor logs actively: set up alerting for suspicious HTTP requests, administrative changes, or any anomalous CLI commands that could be associated with exploitation of either CVE.
  • Network segmentation: place FortiWeb devices in well-guarded network zones to limit the blast radius if an attacker does compromise them.
  • Incident response readiness: have a plan in place to isolate, rebuild, or restore FortiWeb appliances if detected compromise is suspected.

IOC’s

While detailed public IOCs (such as specific exploit payloads) may still be limited, there are several behaviors and artifacts that security teams should look for:

  • Unexpected admin accounts: Look for newly created administrator users that were not authorized. Because CVE 2025 64446 allows account creation, this is a high-risk indicator.
  • Suspicious HTTP POST requests: Specifically, requests targeting non standard or crafted endpoints. For CVE 2025 64446, the attacker may use paths like /api/v2.0/cmdb/system/admin%3f/../../../../../cgi-bin/fwbcgi or similar traversal sequences.
  • CLI history anomalies: For CVE 2025 58034, check the CLI command history for unusual or unauthorized commands, or for commands that include shell meta characters or OS command syntax.
  • Process and file system changes: After compromise, there may be new processes, scripts, or binaries saved on the device. Monitor for unexpected file writes or scheduled tasks.
  • Outbound connections: A compromised appliance may make unexpected outbound connections, possibly for command-and-control (C2) or data exfiltration.
  • Log tampering: Attackers may try to suppress or alter logging to hide their tracks, especially after having OS-level access.

Links
https://www.cyber.gc.ca/en/alerts-advisories/al25-017-vulnerability-impacting-fortinet-fortiweb-cve-2025-64446
https://fortiguard.fortinet.com/psirt/FG-IR-25-910
https://fortiguard.fortinet.com/psirt/FG-IR-25-513
https://www.cisa.gov/news-events/alerts/2025/11/18/cisa-adds-one-known-exploited-vulnerability-catalog
https://www.cybersecuritydive.com/news/command-injection-flaw-fortinet-fortiweb-exploitation/806027/
Note: this component is only available for the blocks: platinum