Honeypot: FortiWeb CVE-2025-64446 Exploits, (Sat, Nov 15th)

Like many have reported, we too noticed exploit attempts for CVE-2025-64446 in our honeypots.

These are POST requests to this path:

With this User Agent String:

And this is the data of the POST request:

This creates a new admin user (profile: prof_admin).

You can find this JSON data back in this PoC.

Didier Stevens
Senior handler
blog.DidierStevens.com

Published at Sat, 15 Nov 2025 09:44:35 +0000