CVE-2025-64446 is a critical authentication bypass vulnerability affecting Fortinet's Web Application Firewall, FortiWeb, which allows attackers to gain unauthorized administrative access by exploiting a flaw in the system's user impersonation mechanism. This vulnerability, with a CVSS score of 9.8, involves a combination of a Relative Path Traversal and a logic flaw that permits attackers to bypass standard login procedures and execute administrative commands, ultimately leading to the creation of persistent admin accounts. The flaw was exploited in the wild before a public patch was released, highlighting its zero-day status, and Fortinet has since issued security updates to address the issue. Users are advised to immediately apply these patches and review their administrative user lists for signs of compromise, while Detectify provides tools to test for the specific exploit conditions.