Fortinet has acknowledged active exploitation of a FortiWeb GUI path traversal that lets an unauthenticated attacker reach a CGI endpoint and impersonate users, including admins, to run privileged actions such as creating new administrator accounts (CVE-2025-64446) (Fortinet PSIRT FG-IR-25-910; NVD entry). SANS ISC’s Stormcast on November 17, 2025 highlighted widespread scanning and recommended treating exposed, unpatched appliances as compromised until proven otherwise (SANS Stormcast 2025-11-17). In parallel, ClickFix lures are leveraging Windows finger.exe to fetch follow-on commands over the legacy Finger protocol, making egress on TCP/79 a simple detection point (SANS ISC diary; BleepingComputer).

FortiWeb CVE-2025-64446: Path Traversal + CGI impersonation yields admin on-box

On November 14, 2025, watchTowr published a hands-on analysis of Fortinet FortiWeb CVE-2025-64446 showing an auth bypass chain: a path traversal to the fwbcgi binary, plus a crafted Base64-encoded CGIINFO header that causes user impersonation and enables privileged actions like creating local admin accounts (watchTowr write-up). Fortinet has issued PSIRT advisory FG-IR-25-910 for CVE-2025-64446, with fixes in 8.0.2 and corresponding maintenance branches; multiple CERTs note active exploitation (CERT-FR bulletin, Canadian Centre for Cyber Security alert, and NVD entry). (labs.watchtowr.com)