CVE-2025-64446 – A relative path traversal vulnerability in Fort... (How to Fix)

Q: What is the severity of CVE-2025-64446?

CVE-2025-64446 has a CVSS score of 9.8 (CRITICAL). A relative path traversal vulnerability in Fortinet FortiWeb web application firewalls allows attackers to execute administrative commands via crafted HTTP/HTTPS requests. This affects FortiWeb versions 7.0.0-7.0.11, 7.2.0-7.2.11, 7.4.0-7.4.9, 7.6.0-7.6.4, and 8.0.0-8.0.1.

📋 TL;DR

A relative path traversal vulnerability in Fortinet FortiWeb web application firewalls allows attackers to execute administrative commands via crafted HTTP/HTTPS requests. This affects FortiWeb versions 7.0.0-7.0.11, 7.2.0-7.2.11, 7.4.0-7.4.9, 7.6.0-7.6.4, and 8.0.0-8.0.1.

💻 Affected Systems

Products:

Fortinet FortiWeb

Versions: 7.0.0-7.0.11, 7.2.0-7.2.11, 7.4.0-7.4.9, 7.6.0-7.6.4, 8.0.0-8.0.1

Operating Systems: FortiOS-based appliances

Default Config Vulnerable: ⚠️ Yes

Notes: All affected versions with default configurations are vulnerable. The vulnerability is in the web management interface.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise with administrative access, allowing attackers to modify configurations, exfiltrate data, or deploy ransomware.

🟠

Likely Case

Unauthorized administrative command execution leading to configuration changes, data access, or lateral movement within the network.

🟢

If Mitigated

Limited impact if proper network segmentation, access controls, and monitoring are in place to detect and block exploitation attempts.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: CONFIRMED

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Public proof-of-concept code exists and CISA confirms active exploitation. Attack requires network access to FortiWeb management interface.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: FortiWeb 8.0.2, 7.6.5, 7.4.10, 7.2.12, 7.0.12

Vendor Advisory: https://fortiguard.fortinet.com/psirt/FG-IR-25-910

Restart Required: Yes

Instructions:

1. Download the appropriate firmware version from Fortinet support portal. 2. Backup current configuration. 3. Upload and install the firmware update via web interface or CLI. 4. Reboot the appliance. 5. Verify the update was successful.

🔧 Temporary Workarounds

Restrict Management Interface Access

all

Limit access to FortiWeb management interface to trusted IP addresses only.

config system interface
edit <interface_name>
set allowaccess https ssh
set trust-ip-1 <trusted_ip>/<mask>
end

Disable Unused Management Protocols

all

Disable HTTP/HTTPS management access if not required, using SSH/console only.

config system interface
edit <interface_name>
set allowaccess ssh
unset allowaccess https http
end

🧯 If You Can't Patch

Implement strict network access controls to limit FortiWeb management interface exposure.
Deploy network intrusion detection rules to monitor for exploitation attempts.

🔍 How to Verify

Check if Vulnerable:

Check FortiWeb firmware version via web interface (System > Dashboard) or CLI command 'get system status'.

Check Version:

get system status | grep Version

Verify Fix Applied:

Verify firmware version is 8.0.2, 7.6.5, 7.4.10, 7.2.12, or 7.0.12 using 'get system status' command.

📡 Detection & Monitoring

Log Indicators:

Unusual administrative command execution logs
Multiple failed authentication attempts followed by successful administrative actions
HTTP requests with path traversal patterns (../ sequences)

Network Indicators:

HTTP/HTTPS requests to FortiWeb management interface with unusual paths or parameters
Traffic from unexpected source IPs to management ports

SIEM Query:

source="fortiweb" AND (url="*../*" OR action="execute" OR user="admin")

📊 Metadata

CVE ID: CVE-2025-64446

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-23

EPSS Score: 89.02% exploit probability (99.5th percentile)

CISA KEV: Actively Exploited added Nov 14, 2025

Published: November 14, 2025

Last Updated: November 21, 2025

🔗 References

https://fortiguard.fortinet.com/psirt/FG-IR-25-910 Vendor Advisory
https://github.com/watchtowrlabs/watchTowr-vs-Fortiweb-AuthBypass Exploit,Third Party Advisory
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-64446 US Government Resource

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-64446, you might also want to check these:

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Fortiweb by Fortinet

Fortiweb by Fortinet

Fortiweb by Fortinet

Fortiweb by Fortinet

Fortiweb by Fortinet

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Restrict Management Interface Access

Disable Unused Management Protocols

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities