U.S. CISA adds Fortinet FortiWeb flaw to its Known Exploited Vulnerabilities catalog

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added a Fortinet FortiWeb flaw, tracked as CVE-2025-64446 (CVSS score of 9.1), to its Known Exploited Vulnerabilities (KEV) catalog.

The vulnerability is a relative path traversal issue in Fortinet FortiWeb 8.0.0 through 8.0.1, FortiWeb 7.6.0 through 7.6.4, FortiWeb 7.4.0 through 7.4.9, FortiWeb 7.2.0 through 7.2.11, and FortiWeb 7.0.0 through 7.0.11. An attacker can exploit the flaw to execute administrative commands on the system by sending crafted HTTP or HTTPS requests to vulnerable devices.

Defused and researcher Daniel Card report that attackers are exploiting the flaw by sending a crafted HTTP POST request to “/api/v2.0/cmdb/system/admin%3F/../../../../../cgi-bin/fwbcgi” to create a new admin account.

WatchTowr Labs confirmed the FortiWeb exploit and published a video PoC on X. The team also released a tool, the “FortiWeb Authentication Bypass Artifact Generator,” which tries to exploit the flaw by creating an admin account with a random 8-character username.

To read the complete article see: Security Affairs