cbcvebase.
CVE-2025-64446
published 2025-11-14

CVE-2025-64446: A relative path traversal vulnerability in Fortinet FortiWeb 8.0.0 through 8.0.1, FortiWeb 7.6.0 through 7.6.4, FortiWeb 7.4.0 through 7.4.9, FortiWeb 7.2.0…

PriorityP199critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITWEXPLOITRansomwareInitial access
CISA Known Exploited Vulnerabilitydue 2025-11-21
Exploited in the wild
EPSS
89.53%
99.8th percentile
A relative path traversal vulnerability in Fortinet FortiWeb 8.0.0 through 8.0.1, FortiWeb 7.6.0 through 7.6.4, FortiWeb 7.4.0 through 7.4.9, FortiWeb 7.2.0 through 7.2.11, FortiWeb 7.0.0 through 7.0.11 may allow an attacker to execute administrative commands on the system via crafted HTTP or HTTPS requests.

Affected

12 ranges
VendorProductVersion rangeFixed in
fortinetfortinet
fortinetfortiweb
fortinetfortiweb>= 7.0.0 < 7.0.127.0.12
fortinetfortiweb7.0.0 – 7.0.11
fortinetfortiweb>= 7.2.0 < 7.2.127.2.12
fortinetfortiweb7.2.0 – 7.2.11
fortinetfortiweb>= 7.4.0 < 7.4.107.4.10
fortinetfortiweb7.4.0 – 7.4.9
fortinetfortiweb>= 7.6.0 < 7.6.57.6.5
fortinetfortiweb7.6.0 – 7.6.4
fortinetfortiweb>= 8.0.0 < 8.0.28.0.2
fortinetfortiweb8.0.0 – 8.0.1

Detection & IOCsextracted from sources · hover to see the quote

urlPOST /api/v2.0/cmd/system/admin%3F/../../../../../cgi-bin/fwbcgi
path/api/v2.0/cmd/system/admin%3F/../../../cgi-bin/fwbcgi
path/api/v2.0/cmd/system/admin%3F/../../../../../cgi-bin/fwbcgi
otherCGIINFO header: base64-encoded JSON with username=admin, profname=super_admin, vdom=root, loginname=admin
  • Look for POST requests containing path traversal sequences targeting /api/v2.0/cmd/system/admin%3F/../../../../../cgi-bin/fwbcgi in HTTP/HTTPS logs on FortiWeb devices.
  • Detect requests containing base64-encoded CGIINFO HTTP headers, which are used to impersonate the built-in admin account via the cgi_auth() function.
  • Review logs for Base64-encoded CGIINFO headers as an indicator of exploitation attempts.
  • Recorded Future's Insikt Group created a Nuclei template for non-intrusive detection of the path traversal without creating accounts or modifying system state.
  • Sicarii ransomware was observed checking for CVE-2025-64446 exploitation against Fortinet devices as part of its attack chain.
  • ·The path traversal works because the URI begins with a valid API path; the %3F (URL-encoded '?') is used to traverse from the API endpoint to the underlying CGI binary. The exact number of traversal segments may vary (e.g., /../../../ vs /../../../../../).
  • ·Active exploitation has been observed since early October 2025, prior to public disclosure; approximately 4,768 FortiWeb instances were exposed on Shodan at time of reporting.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck9.8CRITICAL
cisa9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.