Now-Patched Fortinet FortiWeb Flaw Exploited to Create Unauthorized Admin Accounts

Cybersecurity researchers have discovered active exploitation of an authentication bypass vulnerability in Fortinet's FortiWeb Web Application Firewall (WAF) that allows attackers to create unauthorized administrator accounts and completely compromise affected devices. The flaw, now tracked as CVE-2025-64446 with a critical CVSS score of 9.1, was patched in FortiWeb version 8.0.2.

watchTowr researchers first detected indiscriminate exploitation of this vulnerability in early October 2025, noting that attackers are primarily using it to add rogue administrator accounts as a persistence mechanism. Fortinet has since acknowledged the vulnerability and confirmed it is being actively exploited in the wild.

How the vulnerability works

The critical flaw combines two separate vulnerabilities that together allow attackers to bypass authentication and execute administrative commands. According to watchTowr Labs researcher Sina Kheirkhah, the exploit involves:

1. A path traversal vulnerability that enables attackers to reach the "fwbcgi" executable through a specially crafted HTTP request
2. An authentication bypass mechanism using the HTTP request header CGIINFO

The attack works by sending a malicious HTTP POST request to the endpoint "/api/v2.0/cmdb/system/admin%3F/../../../../../cgi-bin/fwbcgi" with a CGIINFO header containing specific values that allow the attacker to impersonate the built-in admin account.

"That means an attacker can perform any privileged action simply by supplying the appropriate JSON structure," Kheirkhah explained in his analysis.

Benjamin Harris, watchTowr CEO and founder, emphasized the severity of the situation: "Given the indiscriminate exploitation observed, appliances that remain unpatched are likely already compromised."

This exploit is particularly concerning as it demonstrates how threat actors are actively targeting security infrastructure components. Organizations using FortiWeb should immediately implement multi-factor authentication for administrative access alongside patching to mitigate similar vulnerabilities in the future.

Detection and mitigation strategies

Indicators of compromise

Security researchers have identified several administrator usernames and passwords created by attackers exploiting this vulnerability in the wild:

• Testpoint / AFodIUU3Sszp5
• trader1 / 3eMIXX43
• trader / 3eMIXX43
• test1234point / AFT3$tH4ck
• Testpoint / AFT3$tH4ck
• Testpoint / AFT3$tH4ckmet0d4yaga!n

These credentials serve as a primary indicator that a system may have been compromised. Organizations should immediately check their FortiWeb installations for these or other unexpected administrator accounts.

Security teams should also implement robust network monitoring solutions to detect suspicious traffic patterns targeting web application firewalls. The MITRE ATT&CK framework provides valuable guidance on detection strategies for such attacks. For comprehensive protection, organizations should consider implementing a unified threat management system that combines multiple security functions to provide layered protection against sophisticated attacks.

Affected versions and recommended actions

According to Fortinet, the following FortiWeb versions are vulnerable:

• FortiWeb 8.0.0 through 8.0.1 (Upgrade to 8.0.2 or above)
• FortiWeb 7.6.0 through 7.6.4 (Upgrade to 7.6.5 or above)
• FortiWeb 7.4.0 through 7.4.9 (Upgrade to 7.4.10 or above)
• FortiWeb 7.2.0 through 7.2.11 (Upgrade to 7.2.12 or above)
• FortiWeb 7.0.0 through 7.0.11 (Upgrade to 7.0.12 or above)

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added this vulnerability to its Known Exploited Vulnerabilities (KEV) catalog, requiring Federal Civilian Executive Branch agencies to apply patches by November 21, 2025.

For organizations unable to patch immediately, Fortinet recommends disabling HTTP or HTTPS for internet-facing interfaces as a temporary workaround. Additionally, system administrators should:

1. Review logs for unexpected modifications or additions of unauthorized administrator accounts
2. Review system configurations for any suspicious changes
3. Implement network-level restrictions to limit access to management interfaces

"Limiting access to HTTP/HTTPS management interfaces to internal networks is a best practice that reduces, but does not eliminate, risk; upgrading the affected systems remains essential and is the only way to fully remediate this vulnerability," CISA stated in its advisory.

Industry implications and response

Criticism of Fortinet's "silent patching" approach

The incident has sparked criticism of Fortinet's security communication practices. Security experts have condemned the company's approach of "silently patching" the vulnerability without proper disclosure.

Caitlin Condon, vice president of security research at VulnCheck, stated, "Silently patching vulnerabilities is an established bad practice that enables attackers and harms defenders, particularly for devices and systems (including FortiWeb) that have previously been exploited in the wild. When popular technology vendors fail to communicate new security issues, they are issuing an invitation to attackers while choosing to keep that same information from defenders."

In response to the criticism, a Fortinet spokesperson told The Hacker News, "We are aware of this vulnerability and activated our PSIRT response and remediation efforts as soon as we learned of this matter, and those efforts remain ongoing. Fortinet diligently balances our commitment to the security of our customers and our culture of responsible transparency."

This vulnerability serves as an important reminder that organizations must be vigilant against various types of malware and attack vectors targeting security infrastructure. According to recent research from Mandiant, zero-day vulnerabilities in security products are increasingly being targeted by threat actors due to their high-value position in network architecture.

How organizations can use this information

This incident serves as a critical reminder for organizations to:

1. Implement a robust patch management program that prioritizes security updates for internet-facing assets like web application firewalls

2. Establish monitoring systems to detect unexpected administrative account creation or suspicious activity on security appliances

3. Develop and maintain an inventory of all security appliances, including version information, to quickly identify vulnerable systems during security events

The exploitation of this Fortinet vulnerability, much like the infamous "Log4Shell" vulnerability that sent IT teams scrambling in 2021, demonstrates how quickly threat actors can weaponize vulnerabilities in critical infrastructure components. Organizations must remain vigilant and responsive to security advisories and patches, particularly for internet-facing security appliances that often serve as the first line of defense against attacks.