Fortinet's FortiWeb has a serious vulnerability that allows attackers to impersonate users and gain administrative access. The issue, identified as CVE-2025-64446, involves both a Path Traversal vulnerability and an Authentication Bypass. Attackers can exploit these weaknesses to add administrative accounts to the appliance, compromising its security entirely. The vulnerability was first highlighted by Defused, revealing an ongoing exploitation that hasn’t been publicly acknowledged by Fortinet until recently. The main exploit revolves around manipulating API requests. Specifically, attackers can send a crafted POST request that bypasses authentication mechanisms. The payload includes a CGIINFO header containing base64-encoded user data, which the system decodes and uses to grant access based on the attributes it extracts. This means that any user can be impersonated, including the built-in admin account, leading to a complete takeover of the device. Fortinet has patched the issue in version 8.0.2, though earlier versions remain vulnerable. The affected versions span various releases, including 8.0 (prior to 8.0.2), 7.6 (prior to 7.6.5), and others back to 6.3. The exploit allows attackers to check for vulnerability presence by sending specific GET requests and observing the HTTP response. If the server responds with HTTP 200, the vulnerability exists; if it responds with HTTP 403, it has been patched. This patching raises questions about whether Fortinet was aware of the vulnerability before it was exploited.