Fortinet's Two-in-one -

Take a look at the following HTTP request:

POST /api/v2.0/cmdb/system/admin%3F/../.. ../../../cgi-bin/fwbcgi HTTP/1.1

It may look like jargon, but don't be mistaken; the code on top is part of a malicious payload used to access the "fwbcgi" executable on Fortinet's Web Application Firewall, FortiWeb. This vulnerability contains two in one: file traversal (included in the HTTP request) and authentication bypass.

For some context, this is an in-the-wild vulnerability, meaning it is currently being exploited live by attackers. Fortinet PSIRT assigned the vulnerability as CVE-2025-64446 with a CVSS score of 9.4. The recommended remediation is to update the firmware to the listed versions. Other temporary remediation involves disabling HTTP/HTTPS ports for any internet-facing interfaces.

Here's my understanding of how the exploit works; the HTTP request accesses "fwbcgi" and its functions using path traversal. Okay, that's the first step, next we need to understand how the "fwbcgi" executable works.

The function contains a check to validate any incoming HTTP requests valid JSON. It invokes these two functions:

cgi_inputcheck()
cgi_auth()

cgi_inputcheck() is pretty straight forward. In order to pass the check, any valid JSON is acceptable.

The next part, cgi_auth(). This function parses the CGIINFO header of the HTTP request. It looks through the Base-64 encoded header, iterates through the JSON, and grabs the JSON associated values. Here's how the built-in admin account would be accessed:

username: "admin"
profname: "prof_admin"
vdom: "root"
loginname: "admin"

If cgi_inputcheck() seemed too permissive at first, cgi_auth() is where the function truly falls short. Instead of authenticating the requester, the function fetches the data supplied by the user to provision the corresponding account.

Effectively, this function allows the user to impersonate any account the user would like, including the built-in admin account provided by FortiWeb.

Fortunately for me, this is a simpler vulnerability, making it feasible enough for me to understand on my current level. Unfortunately, this vulnerability seems simple enough for an insider threat to craft a specialized CGIINFO HTTP header in order to impersonate users and assume their privileges in FortiWeb.