Skip to main content
Meet us at Black Hat USA 2026— Las Vegas, August 1–6Book a Meeting
Mallory
CriticalCISA KEVExploited in the wildPublic exploit

Fortinet FortiWeb Relative Path Traversal Leading to Unauthenticated Administrative Command Execution

IdentifiersCVE-2025-64446CWE-23· Relative Path Traversal

CVE-2025-64446 is a critical relative path traversal vulnerability in Fortinet FortiWeb that affects FortiWeb 8.0.0 through 8.0.1, 7.6.0 through 7.6.4, 7.4.0 through 7.4.9, 7.2.0 through 7.2.11, and 7.0.0 through 7.0.11. The flaw is reachable via crafted HTTP or HTTPS requests to the FortiWeb management interface and allows traversal from GUI/API paths to sensitive CGI functionality, including the fwbcgi component. Public reporting indicates attackers can use crafted POST requests to traversed paths such as /api/v2.0/cmdb/system/admin%3f/../../../../../cgi-bin/fwbcgi to invoke administrative functionality without prior authentication. Observed exploitation has included creation of rogue administrator accounts and access to the FortiWeb Manager panel and websocket CLI. Fortinet describes the issue as allowing execution of administrative commands on the system via crafted HTTP or HTTPS requests.

Share:
For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation allows an unauthenticated remote attacker to gain administrative control of the affected FortiWeb appliance. Reported outcomes include execution of administrative or maintenance commands, creation of new administrator accounts, access to the FortiWeb Manager interface and websocket command-line interface, durable persistence on the appliance, and effective full takeover of exposed devices. Public reporting also notes that this access can facilitate follow-on activity such as configuration tampering and lateral movement within the environment. Some reporting describes chaining with CVE-2025-58034 to achieve command injection and unauthorized remote code execution, but CVE-2025-64446 alone is specifically documented as providing unauthenticated administrative access and command execution in the FortiWeb management context.

Mitigation

If you can’t patch tonight, do this now.

If immediate patching is not possible, disable HTTP or HTTPS on internet-facing FortiWeb interfaces and restrict management access to internal or tightly controlled networks only. This reduces exposure but does not replace patching. Additional defensive actions supported by the content include monitoring for suspicious traversal URIs, POST requests targeting fwbcgi, python-urllib3 user agents, unexpected CGIINFO headers, anomalous management activity, and newly created local administrator accounts. Review configurations and logs for unauthorized changes dating back to the reported exploitation window in October 2025.

Remediation

Patch, then assume compromise.

Upgrade to a fixed FortiWeb release immediately. Fixed versions reported in the provided content are FortiWeb 8.0.2 or later, 7.6.5 or later, 7.4.10 or later, 7.2.12 or later, and 7.0.12 or later. Organizations running affected systems should also review device configuration and logs after patching for signs of compromise, including unexpected POST requests to traversal paths, suspicious CGIINFO headers, anomalous fwbcgi activity, and unauthorized or newly created administrator accounts. Updating to a fixed version is the only complete remediation described in the source material.
PUBLIC EXPLOITS

Exploits

10 valid exploits after Mallory filtered fakes, detection scripts, and README-only repos (10 hidden).

VALID 10 / 20 TOTALView more in app
Vulnerability-CVE-2025-64446-CVE-2025-58034MaturityPoCVerified exploit

Repository contains a small Python proof-of-concept exploit and a README describing two FortiWeb vulnerabilities. The actual code in exploit.py targets CVE-2025-64446, not CVE-2025-58034 directly. It parses a target hostname/URL, defaults to HTTPS on port 443, disables TLS certificate verification, and sends a crafted POST request to the traversal path /api/v2.0/cmdb/system/admin%3f/../../../../../cgi-bin/fwbcgi. The request includes a base64-encoded CGIINFO header that impersonates admin context and a JSON body defining a new local administrative account with prof_admin privileges. If the server returns HTTP 200, the script reports success and prints the created username/password; otherwise it reports failure or connection errors. The script supports optional custom credentials via CLI flags, otherwise generates a random 8-character username from a UUID and reuses it as the password. The README provides contextual explanation of both CVEs, affected FortiWeb versions, usage instructions, and a manual post-authentication command injection example for CVE-2025-58034 via SAML user configuration. Overall, this is an operational exploit for unauthenticated admin account creation on vulnerable FortiWeb devices, with the README documenting a second-stage authenticated RCE path.

litndatDisclosed Jun 24, 2026pythonmarkdownwebnetwork
CVE-2025-64446MaturityPoCFrameworknucleiVerified exploit

Repository contains a FortiWeb CVE-2025-64446 exploit, a Nuclei detection template, and a larger Python scanner/classifier. Because the repository includes a Nuclei template, the framework is identified as nuclei, but the repo is not limited to framework content; the main offensive capability is in CVE-2025-64446.py. That script is a standalone Python exploit that takes a target in host:port format, disables TLS verification, and sends a POST request to the traversal endpoint /api/v2.0/cmdb/system/admin%3f/../../../../../cgi-bin/fwbcgi. It forges a CGIINFO header containing base64-encoded JSON impersonating admin context and submits a JSON body that creates a new local administrator with prof_admin privileges, unrestricted trust hosts, and a generated password. If the server returns HTTP 200, the script reports the newly created credentials. The included CVE-2025-64446.yaml is a Nuclei template for safe detection only: it posts to the same traversal path and matches on HTTP 200 plus response content such as errcode/admin while excluding 403. The larger RCE-Fortiweb.py file is not an RCE exploit despite its name; from the visible code it is a concurrent scanner/classifier that probes /api/v2.0/cmdb/system/admin/../../../../../cgi-bin/fwbcgi, follows redirects, inspects response bodies/headers, and labels targets as VULNERABLE, PATCHED, POSSIBLY PATCHED, or INDETERMINATE. Overall, the repository’s purpose is to exploit and detect Fortinet FortiWeb authentication bypass/path traversal leading to unauthenticated administrator creation on affected versions.

0xBlackashDisclosed Mar 26, 2026pythonyamlwebnetwork
Ashwesker-CVE-2025-64446MaturityPoCVerified exploit

This repository contains a working exploit for CVE-2025-64446, a critical unauthenticated path traversal vulnerability in Fortinet FortiWeb appliances (versions prior to 8.0.2). The exploit is implemented in Python (CVE-2025-64446.py) and automates the process of creating a new local administrator account on a vulnerable FortiWeb device by sending a specially crafted POST request to a hidden CGI endpoint. The exploit takes a single target or a file of targets, attempts exploitation, and writes results (including credentials for any successfully created admin accounts) to a local file. The README.md provides extensive background, impact, IOCs, and defensive recommendations. The main attack vector is network-based, targeting the management interface over HTTPS. The endpoint '/api/v2.0/cmdb/system/admin%3f/../../../../../cgi-bin/fwbcgi' is fingerprintable and central to the exploit. The exploit is operational, providing real admin access if successful, but does not include post-exploitation payloads beyond account creation.

AshweskerDisclosed Nov 15, 2025pythonmarkdownnetwork
cve-2025-64446-fortiweb-exploitMaturityPoCVerified exploit

This repository provides a comprehensive exploit toolkit for CVE-2025-64446, a critical path traversal and remote code execution vulnerability in Fortinet FortiWeb WAF. The repository contains two main Python scripts: 1. cve_2025_64446_fortiweb_exploit.py: A full-featured exploit tool that automates detection of FortiWeb WAF, tests for path traversal using multiple payload variations, attempts to read sensitive files (such as configuration files and /etc/passwd), uploads a webshell, and executes arbitrary commands on the target. It supports scanning multiple targets, proxy usage, multi-threading, and outputs results in JSON format. 2. cve_2025_64446_poc.py: A simple proof-of-concept script that demonstrates the vulnerability by attempting to read arbitrary files via path traversal, confirming the presence of the vulnerability without causing harm. The exploit works by sending HTTP requests with crafted path traversal payloads to endpoints on the target FortiWeb instance. If successful, it can read sensitive files and escalate to remote code execution. The scripts are intended for authorized security testing and research only. The repository also includes a README with detailed usage instructions, mitigation advice, and references to official advisories. No hardcoded IP addresses or domains are present; the scripts operate on user-supplied targets. The main fingerprintable endpoints are the path traversal payloads and standard FortiWeb detection endpoints (e.g., /login, /index.html).

AN5IDisclosed Nov 21, 2025pythonnetwork
CVE-2025-64446_CVE-2025-58034MaturityPoCVerified exploit

This repository contains a working exploit for a critical unauthenticated remote code execution (RCE) chain affecting Fortinet FortiWeb appliances. The exploit leverages two vulnerabilities: CVE-2025-64446 (authentication bypass via relative path traversal) and CVE-2025-58034 (authenticated OS command injection). The provided Python script (exploit.py) automates the first stage of the attack by sending a crafted POST request to the vulnerable endpoint (/api/v2.0/cmdb/system/admin%3f/../../../../../cgi-bin/fwbcgi) to create a new administrative user without prior authentication. The script accepts the target IP/hostname and optional username/password for the new admin account. Once the account is created, the attacker can log in and exploit the command injection vulnerability to execute arbitrary commands as root (the second stage is described in the README but not fully automated in the script). The repository also includes a requirements.txt for dependencies and a detailed README.md explaining the vulnerabilities, usage, and impact. The exploit is operational and provides a clear path to full system compromise on affected FortiWeb versions.

lincemorado97Disclosed Nov 18, 2025pythonnetwork
CVE-2025-64446MaturityPoCVerified exploit

This repository contains a proof-of-concept exploit for CVE-2025-64446, targeting Fortinet FortiWeb appliances. The exploit is implemented in a single script (CVE-2025-64446.py) and demonstrates an unauthenticated remote code execution (RCE) vulnerability via a combination of path traversal and CGI authentication bypass. The script crafts a base64-encoded header and a JSON payload to create a new administrative user on the target system by sending a specially crafted HTTP POST request to a vulnerable API endpoint (https://localhost:38443/api/v2.0/cmdb/system/admin%3f/../../../cgi-bin/fwbcgi). The exploit uses 'curl' via subprocess to perform the attack. The repository also includes a README.md briefly describing the vulnerability and a standard GNU GPL license file. No detection scripts or fake code are present; the exploit is functional and demonstrates the vulnerability by creating a new admin user.

D3crypT0rDisclosed Nov 17, 2025pythonbashnetwork
CVE-2025-64446MaturityPoCVerified exploit

This repository contains a working proof-of-concept exploit for CVE-2025-64446, a critical unauthenticated remote code execution vulnerability in Fortinet FortiWeb appliances. The exploit is implemented in a single Python script (cve-2025-64446.py) and is accompanied by a detailed README.md explaining the vulnerability and usage instructions. The exploit leverages a path traversal flaw to reach an internal CGI handler, forges authentication headers, and sends a crafted JSON payload to create a new local administrative user on the target device. The script requires the attacker to specify the target's IP address and port in the format <host:port>. Upon successful exploitation, the script outputs the credentials for the newly created admin user, granting the attacker full administrative access to the device. The attack is fully remote, requires no prior authentication, and is executed via a single HTTPS POST request to a vulnerable endpoint. No hardcoded IPs or domains are present; the target is specified at runtime. The repository is well-structured, with clear separation between documentation and exploit code.

verylazytechDisclosed Nov 17, 2025pythonnetwork
CVE-2025-64446-ExploitMaturityPoCVerified exploit

This repository contains a Python exploit (exploit_forti.py) targeting CVE-2025-64446 in Fortinet FortiWeb (WAF) appliances. The exploit allows an attacker to create a new local admin user with a known password by sending a specially crafted POST request to a vulnerable endpoint on the target device. The script can take a single target or a file containing multiple targets, and attempts exploitation over HTTPS (default port 443, but customizable). Results, including successful credentials, are saved to a local file (fortiweb_exploit_results.txt). The repository also includes a README.md with usage instructions and a sample result screenshot. The exploit is operational, providing real administrative access if the target is vulnerable. No detection-only or fake code is present; the exploit is functional and focused on privilege escalation via user creation.

soltanali0Disclosed Nov 15, 2025pythonnetwork
CVE-2025-64446-FortiWeb-CGI-Bypass-PoCMaturityPoCVerified exploit

This repository provides a Python-based exploit tool for CVE-2025-64446, a path traversal vulnerability in Fortinet FortiWeb web application firewalls. The repository contains three files: a detailed README.md with usage instructions, a requirements.txt listing dependencies (requests, urllib3), and the main exploit script exploit.py. The exploit.py script allows users to verify if a FortiWeb device is vulnerable by attempting to access internal API endpoints using crafted path traversal payloads. If the device is found vulnerable, the tool can exploit the CGI endpoint to create or modify user accounts, effectively allowing privilege escalation or unauthorized access. The tool supports both single and multiple targets, configurable via command-line arguments or a file. All network interactions are performed over HTTP or HTTPS (default port 443), and the endpoints targeted are specific to FortiWeb's internal API structure. The exploit is operational, providing both detection and exploitation capabilities, and is intended for authorized security testing only.

sxyrxyyDisclosed Nov 14, 2025pythonnetwork
CVE-2025-64446-PoC---FortiWeb-Path-TraversalMaturityPoCVerified exploit

This repository provides a proof-of-concept (PoC) and a research tool for CVE-2025-64446, a critical path traversal vulnerability in Fortinet FortiWeb. The repository contains six files: a disclaimer, license, README, requirements, and two Python scripts ('exploit.py' and 'poc.py'). The README details the affected FortiWeb versions and usage instructions. The 'poc.py' script is a detection tool that checks if a target is vulnerable by sending crafted HTTP(S) requests with path traversal payloads to specific API endpoints and attempts to gather system information. The 'exploit.py' script is a non-destructive research tool that probes the same endpoints to collect response data, but does not execute any commands or alter the system. Both scripts require Python 3.6+ and the 'requests' library. The main attack vector is network-based, targeting the FortiWeb web interface over HTTP or HTTPS. The endpoints targeted are administrative and configuration APIs, accessed via path traversal sequences. No destructive or post-exploitation payloads are included; the tools are strictly for detection and research purposes.

fevar54Disclosed Nov 14, 2025pythonnetwork
EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType
FortinetFortiwebapplication

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.
Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware1

Malware families riding this exploit, with evidence and IOCs.

Detection signatures3

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity144

Community discussion across Reddit, Mastodon, and other social sources.