Fortinet: New Exploit Abuses Zero-Day Vulnerability in Firewalls
IT researchers have found new exploit code in their honeypot. It attacks a previously unknown Fortinet security vulnerability.
(Image: Titima Ongkantong/Shutterstock.com)
IT security researchers have fished exploit code from their honeypot that apparently attacks a previously unknown security vulnerability in Fortinet web application firewalls. The attacked vulnerability is reminiscent of one that Fortinet already closed with an update in 2022.
In a blog post on pwndefend discusses the author that he, together with a friend who is also an IT security researcher, evaluated data from a new honeypot environment and noticed malware that affects FortiWeb firewalls. Initial investigations, according to an X post from the friend, showed that the malware was not detected by any malware protection on VirusTotal. It appears to be a Path Traversal vulnerability. It reminds the IT researchers of the Fortinet vulnerability CVE-2022-40684 (CVSS 9.8, Risk “critical”), where attackers can bypass authentication on the admin interface and, with manipulated requests, execute actions otherwise reserved for administrators. A CVE entry is now available: CVE-2025-64446, CVSS 9.8, risk "critical".
Attacks on the Net
To protect potential victims, the author does not want to go into too much detail about the discovered payload. The attackers send the malware via an HTTP POST request to the endpoint “/api/v2.0/cmdb/system/admin%3F/../../../../../cgi-bin/fwbcgi”. Embedded within this is a command sequence for creating a user account. The blog post also provides indicators of compromise (IOCs); the list includes IP addresses from which observed attacks originated, as well as some username and password combinations that the analyzed malware intended to create.
Videos by heise
The IT forensic experts from watchTowr show in a short film on X show how the exploit is executed against a FortiWeb firewall, creating an admin account in the process. They thus confirmed the functionality of the zero-day exploit. They also added it to their 'Detection Artefact Generator'. Fortinet has not yet provided any information – the latest security update for a product on the website is dated November 3rd. As a countermeasure, administrators of Fortinet firewalls should ensure that access is restricted to trusted IP addresses at least for now, especially if the admin interface is accessible on the network.
The exploit appears to target FortiWeb web application firewalls, according to the updated Pwndefend blog post. We have clarified the article accordingly. Also added the CVE entry for the vulnerability to the article.
(dmk)
