Full Report
Fortinet had a 0-day that was identified publicly. This is a report of the timeline of the issue and the exploit that was found for it. It was made up of two security issues in total. The first vulnerability is a fairly simple looking path traversal. By using a completely valid API path (/api/v2.0/cmdb/system/admin/) and then traversing backwards via ../ it was possible to traverse a different CGI executable on the device. The program likely took the rest of the path after the API endpoint and just used that as the path for the executable. However, the actual vulnerable path wasn't confirmed. Once the CGI is called, that wasn't intended to be called, there are still two checks to bypass: input validation and auth check before it will process within cgi_process. The first check just performs basic JSON validation. The second item, labeled as cgi_auth(), is an impersonation function and NOT an authentication check. It extracts the header CGIINFO to decode a username, profile name, virtual domain and login identifier. With this information, you can impersonate any user in the application, such as the built-in admin. The real exploit creates a local user with administrative privileges to take control of the device. Overall, an interesting bug that led to the triggering of unintended functionality. Pretty neat!
Analysis Summary
# Vulnerability: FortiWeb Authentication Bypass via Impersonation
## CVE Details
- **CVE ID**: CVE-2025-64446 (Note: Initially reported as an unnamed 0-day)
- **CVSS Score**: 9.8 (Critical - Estimated)
- **CWE**: CWE-22 (Path Traversal), CWE-287 (Improper Authentication/Impersonation)
## Affected Systems
- **Products**: Fortinet FortiWeb (WAF)
- **Versions**:
- 7.4.0 through 7.4.3
- 7.6.0
- 8.0.0 through 8.0.1
- **Configurations**: Devices with the Management Interface exposed to the network/internet.
## Vulnerability Description
The vulnerability is a multi-stage exploit chain:
1. **Path Traversal**: By using a specially crafted URI (e.g., `/api/v2.0/cmdb/system/admin%3F/../../../../../cgi-bin/fwbcgi`), an attacker can bypass traditional API routing to directly execute the `fwbcgi` binary.
2. **Authentication Bypass (Impersonation)**: The `fwbcgi` binary contains a function `cgi_auth()` that processes a specific HTTP header named `CGIINFO`. This header is expected to contain a Base64-encoded JSON object. Rather than verifying a session or password, the function extracts fields (`username`, `profname`, `vdom`, `loginname`) and passes them to `set_login_context_vsa()`. This effectively impersonates any user, including the built-in `admin` account, because the application treats the values in the header as a trusted source of identity.
## Exploitation
- **Status**: Exploited in the wild (0-day)
- **Complexity**: Low
- **Attack Vector**: Network (Remote)
- **PoC**: Available (Scripts to create administrative users have been publically documented).
## Impact
- **Confidentiality**: High (Full access to device configuration and data)
- **Integrity**: High (Ability to add new admin users and modify security rules)
- **Availability**: High (Full control over device operations)
## Remediation
### Patches
Fortinet has silently addressed this in the following versions:
- **FortiWeb 8.0.2** or higher.
- Review Fortinet’s PSIRT advisory page for back-ported fixes in 7.x branches.
### Workarounds
- **Access Control**: Restrict access to the FortiWeb management interface to trusted IP addresses only.
- **Service Disablement**: Use a dedicated management subnet (Out-of-Band management) and disable management access on external-facing interfaces.
## Detection
- **Indicators of Compromise (IoC)**:
- **HTTP Logs**: Look for POST requests containing `/../..` sequences targeting `cgi-bin/fwbcgi`.
- **Header Analysis**: Presence of the `CGIINFO` header in requests to the management API.
- **User Audit**: Identify unexpected new administrative accounts (e.g., accounts named `Testpoint`, `watchTowr`, or other unrecognized strings).
- **Tools**:
- watchTowr Detection Artefact Generator: `https://github[.]com/watchtowrlabs/watchTowr-vs-Fortiweb-AuthBypass`
## References
- **Vendor Advisory**: `hXXps://www[.]fortinet[.]com/trust-center/vulnerability-management`
- **Technical Analysis**: `hXXps://labs[.]watchtowr[.]com/when-the-impersonation-function-gets-used-to-impersonate-users-fortinet-fortiweb-auth-bypass-cve-2025-64446/`
- **Initial Report**: `hXXps://defusedcyber[.]com/`