A critical authentication bypass vulnerability (CVE-2025-64446) in Fortinet FortiWeb is being actively exploited in the wild. The exploit chains two weaknesses: a path traversal in the API URI that redirects requests to the fwbcgi binary, and an authentication bypass via the CGIINFO HTTP header. The header accepts a Base64-encoded JSON payload specifying a user to impersonate — including the built-in admin — with no validation. This allows unauthenticated attackers to gain full administrative access and perform any privileged action, such as creating backdoor admin accounts. Affected versions span FortiWeb 6.3 through 8.0.1. Version 8.0.2 silently patches the issue. A detection artefact generator has been released on GitHub to help defenders identify vulnerable hosts.
Table of contents
The VulnerabilityIs Fortinet Aware?The First Step - The Path TraversalStep Two - FWBCGIStep Two (a) - cgi_inputcheck()Step Two (b) - Impersonating Users Via cgi_auth()Exploiting The VulnerabilityDetection Artefact GeneratorGain early access to our research, and understand your exposure, with the watchTowr PlatformSort: