A critical security vulnerability in Fortinet's FortiWeb web application firewall is being actively exploited in the wild, allowing attackers to completely bypass authentication and gain full administrative control over vulnerable devices.
The flaw, now tracked as CVE-2025-64446, was discovered by cybersecurity researchers at WatchTowr Labs after detecting suspicious exploitation attempts targeting FortiWeb appliances globally. Fortinet has confirmed the vulnerability affects multiple versions across several product lines.
How the Attack Works
The vulnerability chains two distinct security flaws: a path traversal weakness that lets attackers access restricted system files, and an authentication bypass that exploits FortiWeb's user impersonation function. By crafting a malicious HTTP request with a specially formatted header called "CGIINFO," attackers can trick the system into believing they're legitimate administrators.
"The function effectively provides a mechanism to impersonate any user based on data supplied by the client," WatchTowr researchers explained in their technical analysis. The vulnerability requires no prior access or credentials—attackers simply send JSON-encoded user attributes in Base64 format to assume administrative privileges.
Once exploited, threat actors gain complete control over the appliance and have been observed creating persistent backdoor accounts named variations of "Testpoint" to maintain long-term access.
Affected Versions and Patches
The following FortiWeb versions are vulnerable:
- 8.0: versions before 8.0.2
- 7.6: versions before 7.6.5
- 7.4: versions before 7.4.10
- 7.2: versions before 7.2.12
- 7.0: versions before 7.0.12
- 6.4: all versions through 6.4.3
- 6.3: all versions through 6.3.23
Fortinet has released patches addressing the vulnerability, though initially without public disclosure. Administrators should immediately upgrade to patched versions and audit their systems for suspicious administrative accounts or unauthorized configuration changes.
WatchTowr has published a detection tool on GitHub to help organizations identify vulnerable devices in their networks. Given the active exploitation and complete compromise potential, security teams should treat this as a critical priority requiring immediate remediation.