Executive Summary
In November 2025, researchers observed active exploit attempts targeting FortiWeb appliances via CVE-2025-64446. Attackers sent specially crafted POST requests to FortiWeb's administration interface, leveraging the vulnerability to create privileged admin accounts remotely. The attack, first detected in internet-facing honeypots, allowed adversaries potential unauthorized control over victim devices and lateral access to connected environments. Organizations using vulnerable firmware versions face the risk of compromise if patches are not applied.
This incident highlights the rapid adoption and automation of new web application exploits by threat actors. With FortiWeb appliances deployed widely across critical infrastructure, mass exploitation attempts have increased urgency for organizations to implement robust patch management and web application security controls.
Why This Matters Now
Threat actors are actively weaponizing new CVEs against widely used security appliances like FortiWeb, often before organizations can apply patches. With automated exploit scripts in circulation, exposure windows for unpatched systems are shrinking, driving regulatory and business urgency for rapid vulnerability management, real-time monitoring, and zero trust controls.
Attack Path Analysis
The attacker initiated exploitation by sending crafted POST requests targeting CVE-2025-64446 on a FortiWeb application, creating a new privileged admin user. Using this account, they escalated privileges to gain full administrative access. The attacker then may have performed lateral movement across internal network segments by leveraging the compromised credentials. Command and control could be established through outbound connections, allowing remote management of the compromised environment. Data exfiltration or malicious activity might be performed using these new privileges. The impact could include unauthorized access, data theft, or further compromise of cloud resources.
Kill Chain Progression
Initial Compromise
Description
The attacker exploited a FortiWeb CVE-2025-64446 vulnerability by sending a crafted POST request to the web application endpoint, creating a new admin user account.
Related CVEs
CVE-2025-64446
CVSS 9.8A relative path traversal vulnerability in Fortinet FortiWeb versions 8.0.0 through 8.0.1, 7.6.0 through 7.6.4, 7.4.0 through 7.4.9, 7.2.0 through 7.2.11, and 7.0.0 through 7.0.11 may allow an attacker to execute administrative commands on the system via crafted HTTP or HTTPS requests.
Affected Products:
Fortinet FortiWeb – 8.0.0 through 8.0.1, 7.6.0 through 7.6.4, 7.4.0 through 7.4.9, 7.2.0 through 7.2.11, 7.0.0 through 7.0.11
Exploit Status:
exploited in the wildCVE-2025-64447
CVSS 9.8A reliance on cookies without validation and integrity checking vulnerability in Fortinet FortiWeb versions 8.0.0 through 8.0.1, 7.6.0 through 7.6.5, 7.4.0 through 7.4.10, 7.2.0 through 7.2.11, and 7.0.0 through 7.0.11 may allow an unauthenticated attacker to execute arbitrary operations on the system via crafted HTTP or HTTPS requests using forged cookies, requiring prior knowledge of the FortiWeb serial number.
Affected Products:
Fortinet FortiWeb – 8.0.0 through 8.0.1, 7.6.0 through 7.6.5, 7.4.0 through 7.4.10, 7.2.0 through 7.2.11, 7.0.0 through 7.0.11
Exploit Status:
proof of concept
MITRE ATT&CK® Techniques
Exploit Public-Facing Application
Create Account
Valid Accounts
Exploitation for Privilege Escalation
Modify Authentication Process
Account Discovery
Account Manipulation
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Public-Facing Web Application Protection
Control ID: 6.4.3
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: 500.03
DORA (Digital Operational Resilience Act) – ICT Risk Management Framework
Control ID: Article 6
CISA Zero Trust Maturity Model (ZTMM) 2.0 – Admin Account Lifecycle Management
Control ID: Identity Pillar: Identity Governance
NIS2 Directive – Supply Chain and System Security
Control ID: Article 21(2)d
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Financial Services
FortiWeb CVE-2025-64446 exploits targeting web applications threaten transaction security, requiring enhanced egress filtering and zero trust segmentation for regulatory compliance.
Health Care / Life Sciences
Web application vulnerabilities creating unauthorized admin access risk HIPAA violations, demanding threat detection capabilities and encrypted traffic protection for patient data.
Government Administration
Admin privilege escalation exploits through web applications expose critical infrastructure, necessitating multicloud visibility and inline IPS protection against targeted attacks.
Information Technology/IT
FortiWeb security appliance exploits demonstrate need for cloud native security fabric and anomaly detection to protect managed services infrastructure and clients.
Sources
- Honeypot: FortiWeb CVE-2025-64446 Exploits, (Sat, Nov 15th)https://isc.sans.edu/diary/rss/32486Verified
- NVD - CVE-2025-64446https://nvd.nist.gov/vuln/detail/CVE-2025-64446Verified
- Fortinet PSIRT Advisory FG-IR-25-910https://fortiguard.fortinet.com/psirt/FG-IR-25-910Verified
- CISA Known Exploited Vulnerabilities Cataloghttps://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-64446Verified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Robust application segmentation, inline perimeter controls, and multicloud visibility would have limited exploitation, privilege abuse, and lateral spread by enforcing least privilege network access and detecting anomalous admin creation. CNSF Zero Trust controls such as Zero Trust Segmentation, Inline IPS, and Threat Detection would have blocked or alerted on key attack steps.
Control: Inline IPS (Suricata)
Mitigation: Blocks known exploit traffic at the network layer before application compromise.
Control: Zero Trust Segmentation
Mitigation: Limits access scope, restricting what resources newly created admin accounts can reach.
Control: East-West Traffic Security
Mitigation: Prevents unauthorized internal movement between workloads and regions.
Control: Egress Security & Policy Enforcement
Mitigation: Detects and blocks suspicious outbound connections to unknown or unapproved destinations.
Control: Encrypted Traffic (HPE)
Mitigation: Ensures all sensitive data exfiltration attempts are visible and can be encrypted at line rate.
Triggers alerts and initiates incident response on anomalous privilege or destructive actions.
Impact at a Glance
Affected Business Functions
- Web Application Security
- Network Administration
Estimated downtime: 3 days
Estimated loss: $50,000
Potential exposure of administrative credentials and sensitive configuration data due to unauthorized command execution.
Recommended Actions
Key Takeaways & Next Steps
- • Implement Inline IPS and signature-driven controls at all cloud ingress points to block known exploits before application compromise.
- • Enforce Zero Trust Segmentation and least privilege policies to limit the blast radius of privileged accounts and new admin user creation.
- • Deploy east-west network controls to prevent unauthorized lateral movement across hybrid and multi-cloud environments.
- • Configure strict egress filtering and real-time monitoring to detect and block outbound C2 or exfiltration attempts.
- • Leverage continuous threat detection, automated anomaly response, and centralized visibility to accelerate detection and containment of cloud threats.
