The cybersecurity landscape has shifted once again, driven by the public release of a proof-of-concept exploit targeting the critical vulnerability CVE-2025-64446 within FortiWeb devices. This disclosure, originating from a GitHub repository named “CVE-2025-64446-FortiWeb-CGI-Bypass-PoC” created by user sxyrxyy, represents a significant escalation in the exploitation of this previously observed flaw and warrants immediate attention from security professionals.
The core of the vulnerability lies in a critical path traversal issue within FortiWeb’s web application firewall (WAF) component. The root cause stems from inadequate input validation during the handling of CGI requests. This essentially allows an attacker to bypass intended access controls, facilitating remote code execution, particularly within specified configurations. The CVSS 9.8 rating is entirely justified – this isn’t a theoretical issue; we’re seeing it actively leveraged.
Initial reports, compiled by threat intelligence firms monitoring dark web forums and incident response logs, surfaced as early as October 2025, indicating that the exploit was already being deployed in real-world attacks. This timeframe underscores the speed with which attackers can react to publicly available tools. The affected FortiWeb versions – 6.3.0 through 7.4.6 – represent a substantial attack surface.
The provided PoC is remarkably straightforward. It’s built around a Python script, readily deployable with the standard pip install -r requirements.txt command. The utility functions in two distinct modes. The “check” mode, triggered with python3 exploit.py -t --check, offers a non-destructive probe, confirming vulnerability without altering system state. However, when executed in exploit mode, python3 exploit.py -t --exploit utilizes the CGI endpoint to directly manipulate user accounts. The tool defaults to a username “sxy” and a password “sxyrxyadmin1!” – a particularly regrettable pattern.
Beyond the basic functionality, the PoC incorporates several options designed to enhance flexibility for penetration testing. Users can customize target usernames, passwords, profile names (the default is “prof_admin”), VDOM instances (using “root” as the default), and login names (“admin”). For streamlined assessments, the tool supports batch operations via a file, allowing the scan of multiple targets defined in files like “targets.txt,” facilitating large-scale scanning of IP ranges, as shown with example scan 192.168.1.100 to 192.168.1.102.
Configuration options offer granular control. The default port remains HTTPS (443), but the tool allows switching to unencrypted traffic via the -http flag. Furthermore, the script incorporates the –testpoint-name option, setting a default user creation name of “Testpoint”. These settings provide a level of precision that is not often seen in readily available exploits.
The release of this PoC inevitably raises serious concerns. While undoubtedly valuable for defensive testing and security assessments, the widespread availability of the tool amplifies the potential risks to organizations deploying vulnerable FortiWeb versions – primarily those within sectors like finance and healthcare – that haven’t implemented timely patching. The advice from Fortinet – immediate patching to version 7.4.7 or later alongside robust network segmentation to mitigate lateral movement – is critical.
It’s imperative to recognize the implications of responsible disclosure. The repository’s disclaimer explicitly states that the tool’s use is restricted to owned or permitted systems. Failure to adhere to this guideline exacerbates the risks and undermines the integrity of the disclosure process.
The situation underscores the need for constant vigilance, particularly for organizations relying on legacy systems. A proactive security posture, incorporating regular vulnerability scans, timely patching, and robust network controls, remains the best defense against emerging threats.