CVE-2025-64446 is a recently identified vulnerability affecting FortiWeb, Fortinet's web application firewall product. The vulnerability allows an unauthenticated attacker to send specially crafted POST requests to a specific endpoint on the FortiWeb device, which results in the creation of a new administrative user profile (prof_admin) with full administrative privileges. This effectively grants the attacker complete control over the FortiWeb appliance, enabling them to manipulate security policies, disable protections, and potentially pivot into protected networks. The exploit attempts were detected in multiple honeypots, indicating active reconnaissance and exploitation efforts by threat actors. The attack vector involves no authentication or user interaction, making it highly accessible to remote attackers scanning for vulnerable devices exposed to the internet. The technical details, as reported by the SANS Internet Storm Center and researcher Didier Stevens, include the use of specific POST data and user-agent strings to execute the exploit. While no official patches or mitigation instructions were provided at the time of reporting, the critical nature of administrative account creation necessitates urgent attention. FortiWeb appliances are widely deployed in enterprise environments to protect web applications from attacks such as SQL injection, cross-site scripting, and other OWASP Top 10 threats, so compromising these devices undermines the security posture of affected organizations.

For European organizations, exploitation of CVE-2025-64446 could lead to severe consequences including unauthorized administrative access to FortiWeb devices, disabling or bypassing web application firewall protections, and potential exposure of sensitive data processed by protected web applications. This could result in data breaches, service disruptions, and compliance violations under regulations such as GDPR. Attackers gaining control over FortiWeb appliances might also use them as a foothold to launch further attacks within internal networks, increasing the risk of lateral movement and broader compromise. Critical sectors such as finance, healthcare, government, and telecommunications that rely heavily on FortiWeb for web application security are particularly vulnerable. The ability to create new admin users without authentication significantly raises the risk profile, as it bypasses normal access controls. Although no confirmed active exploitation in the wild has been reported, the observed exploit attempts in honeypots suggest imminent or ongoing scanning campaigns targeting exposed FortiWeb devices. The impact extends beyond confidentiality to integrity and availability of web application defenses, potentially leading to widespread operational disruption.

1. Immediately audit FortiWeb devices for any unauthorized administrative accounts, especially newly created profiles matching the prof_admin pattern. 2. Restrict management interface access to trusted IP addresses using network segmentation and firewall rules to limit exposure to the internet. 3. Monitor network traffic for suspicious POST requests targeting FortiWeb endpoints, particularly those matching the exploit patterns reported in honeypots. 4. Implement strict logging and alerting on administrative account creation and configuration changes within FortiWeb appliances. 5. Apply vendor patches or firmware updates as soon as they become available to remediate CVE-2025-64446. 6. If patches are not yet available, consider temporary mitigations such as disabling vulnerable endpoints or deploying web application firewall rules to block exploit payloads. 7. Conduct penetration testing and vulnerability scanning focused on FortiWeb devices to identify exposure and validate mitigations. 8. Educate security teams about this vulnerability and ensure incident response plans include steps for FortiWeb compromise scenarios. 9. Collaborate with Fortinet support and subscribe to threat intelligence feeds for updates on exploit activity and remediation guidance.