The researcher’s desk: FortiWeb Authentication Bypass (CVE-2025-64446)

Welcome to The researcher’s desk  – a content series where the Detectify security research team conducts a technical autopsy on vulnerabilities that are particularly interesting, complex, or persistent. For this issue, we look at CVE-2025-64446, a critical authentication bypass that has been actively exploited in the wild, targeting Fortinet’s Web Application Firewall (WAF) product, FortiWeb.

The Case File: Unauthenticated control

Vulnerability Type	Authentication Bypass / Impersonation Flaw
Disclosure Date	November 14, 2025
Score	9.8 (Critical)
Vector	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Identifier	CVE-2025-64446
Vulnerable Component	Fortinet FortiWeb (Web Application Firewall)
Final Impact	Unauthenticated execution of administrative commands / complete control.
Observations	Exploited in the wild; involved a “silent patch.”

What’s the root cause of CVE-2025-64446?

The core issue is a complex Unauthenticated Authentication Bypass flaw. It involves an improper handling mechanism within the FortiWeb appliance that is related to user impersonation functionality.

Essentially, the vulnerability allows an attacker to manipulate the way the system validates user identity, tricking the appliance into granting administrative privileges. The flaw is rooted in how a function intended to handle user context is improperly exposed or protected, enabling its misuse for unauthorized access.

What’s the mechanism behind CVE-2025-64446?

The mechanism involves bypassing the standard login procedure to gain full administrative privileges on the FortiWeb appliance.

• Bypass the gate: The attacker first leverages a mechanism (reported as a Relative Path Traversal combined with a logic flaw) to reach a restricted executable or API endpoint on the FortiWeb device.
• Impersonation: Once the endpoint is reached, the attacker sends specially crafted input (often within an HTTP header) containing fields designed to impersonate the built-in admin account.
• Complete compromise: The appliance’s authentication function processes this untrusted input and grants the attacker an administrative context. This allows the attacker to execute administrative commands, often leading to the creation of a new, persistent administrator account with known credentials, which grants complete control over the WAF.

This flaw is interesting because it showcases the danger of authentication logic errors and how seemingly internal, administrative functions (like impersonation) can be weaponized when not properly secured. The flaw was exploited in attacks before a public patch was available, confirming its zero-day status.

Defensive takeaways

• Patching: Fortinet issued updates to resolve this vulnerability. Users must apply the security patch immediately to all affected FortiWeb versions.
• Management Access: Review the administrative user list for any new, unknown, or unauthorized accounts created since the beginning of October 2025 on the VPN appliance as a sign of compromise.
• The Detectify Approach: Detectify customers are running payload-based tests to check for the specific combination of path manipulation and header injection required to trigger this unauthenticated authentication bypass, providing early warning for vulnerable assets.

Questions? We’re happy to hear from you via support@detectify or book a demo to learn more about Detectify.

References

• https://nvd.nist.gov/vuln/detail/cve-2025-64446
• https://www.bleepingcomputer.com/news/security/fortinet-confirms-silent-patch-for-fortiweb-zero-day-exploited-in-attacks/
• https://labs.watchtowr.com/when-the-impersonation-function-gets-used-to-impersonate-users-fortinet-fortiweb-auth-bypass/
• https://blog.qualys.com/vulnerabilities-threat-research/2025/11/14/unauthenticated-authentication-bypass-in-fortinet-fortiweb-cve-2025-64446-exploited-in-the-wild