CVE-2025-64446 - FortiWeb Admin Creation Exploit Observed in Honeypots
Category:Threat Alerts
Honeypot systems recorded live exploitation attempts for CVE-2025-64446 targeting FortiWeb devices via crafted POST requests that automatically create a new prof_admin-privileged user. Attack behavior aligns with T1190 (Exploit Public-Facing Application) and T1136 (Create Account). The observed payload mirrors public proof-of-concept exploit code, demonstrating active attacker adoption. Because FortiWeb appliances serve as web application firewalls, unauthorized admin creation can fully compromise perimeter defenses, enabling rule tampering, lateral movement, and data exposure. Although the honeypot capture is brief, it confirms automated exploitation activity consistent with opportunistic scanning and early-stage weaponization.
CORTEX Protocol Intelligence Assessment
Business Impact: Successful exploitation grants attackers administrative control over WAF systems, exposing downstream applications to compromise. Technical Context: Attackers use POST requests with JSON payloads that replicate publicly available PoCs to create privileged accounts.
Strategic Intelligence Guidance
- Apply FortiWeb patches addressing CVE-2025-64446 immediately.
- Audit admin accounts for unauthorized additions.
- Enable WAF logging with alerting on configuration changes.
- Restrict management interfaces to secure networks.
CVEs
Vendors
Targets
Intelligence Source: CVE-2025-64446 - FortiWeb Admin Creation Exploit Observed in Honeypots | Nov 16, 2025