Fortinet FortiWeb Path Traversal Vulnerability Enabling Remote Command Execution
A critical path traversal vulnerability (CVE-2025-64446) has been identified in multiple versions of Fortinet FortiWeb, allowing unauthenticated attackers to execute administrative commands on affected systems via crafted HTTP or HTTPS requests. Fortinet has confirmed that this vulnerability is being actively exploited in the wild. The affected versions include FortiWeb 8.0.0 through 8.0.1, 7.6.0 through 7.6.4, 7.4.0 through 7.4.9, 7.2.0 through 7.2.11, and 7.0.0 through 7.0.11. The vulnerability is rated as critical, with a CVSS score of 9.1, and exploitation can lead to full administrative compromise of the device.
Fortinet recommends immediate upgrades to patched versions (8.0.2, 7.6.5, 7.4.10, 7.2.12, or 7.0.12 and above) and advises disabling HTTP/HTTPS on internet-facing interfaces as a temporary mitigation. Organizations are urged to review configurations and logs for unauthorized changes or the creation of new administrator accounts following remediation. The vulnerability is tracked as CVE-2025-64446 and is documented in both Fortinet's official advisory and public CVE feeds.
Timeline
Nov 17, 2025
Security researchers report active exploitation of CVE-2025-64446
By November 17, reporting from SC Media said attacks exploiting CVE-2025-64446 were underway in the wild, with watchTowr, PwnDefend, and Rapid7 observing intrusions. The bug was described as enabling path traversal and authentication bypass that could let attackers execute administrative commands and potentially fully compromise affected systems.
Nov 14, 2025
CISA alerts on FortiWeb vulnerability and urges remediation
CISA published an alert highlighting Fortinet's advisory for CVE-2025-64446, a relative path traversal vulnerability affecting FortiWeb products. The agency urged organizations to apply fixes or mitigations and set a November 21 remediation deadline for federal agencies.
Nov 14, 2025
Fortinet discloses CVE-2025-64446 in FortiWeb and issues advisory
Fortinet published security advisory FG-IR-25-910 for a relative path traversal/path confusion vulnerability in the FortiWeb GUI, tracked as CVE-2025-64446. The flaw affects multiple FortiWeb versions and Fortinet provided remediation guidance and workaround recommendations.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Related Entities
Affected Products
Sources
1 more from sources like cisa advisories
Related Stories
Critical Path Traversal Vulnerability in Fortinet FortiWeb (CVE-2025-64446)
A critical vulnerability, CVE-2025-64446, has been identified in the GUI component of Fortinet FortiWeb, a web application firewall. This relative path traversal flaw allows remote, unauthenticated attackers to execute administrative commands on affected systems via crafted HTTP or HTTPS requests, potentially granting root access. The vulnerability affects FortiWeb versions 7.0.0 through 7.0.11, 7.2.0 through 7.2.11, 7.4.0 through 7.4.9, 7.6.0 through 7.6.4, and 8.0.0 through 8.0.1. Multiple sources confirm that this vulnerability is being actively exploited in the wild, and it has been added to CISA's Known Exploited Vulnerabilities catalog. Fortinet and cybersecurity authorities strongly urge organizations to upgrade to the latest patched versions: 7.0.12, 7.2.12, 7.4.10, 7.6.5, or 8.0.2 or later, depending on the affected release. Security advisories from both Fortinet and the Canadian Centre for Cyber Security emphasize the urgency of identifying and patching vulnerable systems immediately to mitigate the risk of compromise. Organizations are advised to use asset inventory tools to locate potentially impacted FortiWeb devices and apply the recommended updates without delay.
1 months ago
Fortinet FortiWeb Path Traversal Vulnerability CVE-2025-64446 Actively Exploited
A critical vulnerability, CVE-2025-64446, affecting Fortinet FortiWeb web application firewall devices has been actively exploited in the wild, prompting the Cybersecurity and Infrastructure Security Agency (CISA) to add it to its Known Exploited Vulnerabilities (KEV) catalog. The flaw, present in FortiWeb versions 8.0.0 through 8.0.1, 7.6.0 through 7.6.4, and earlier branches, allows unauthenticated remote attackers to bypass authentication and execute administrative commands via crafted HTTP or HTTPS requests. Attackers have leveraged this vulnerability to create unauthorized administrative accounts, such as "Testpoint" and "trader," enabling persistent and undetected access to affected systems. Fortinet has released patches in version 8.0.2 and equivalent updates, but exploitation continues against unpatched devices, exposing organizations to significant risk of compromise and data exposure. CISA's inclusion of CVE-2025-64446 in the KEV catalog underscores the urgency of remediation, especially for U.S. federal agencies, which have been mandated to patch vulnerable FortiWeb systems by November 21, 2025. The agency also strongly advises all organizations to prioritize remediation of this and other KEV-listed vulnerabilities to reduce exposure to active cyber threats. The vulnerability's exploitation highlights the ongoing risk posed by unpatched perimeter security devices and the importance of timely vulnerability management in defending against sophisticated attacks.
1 months ago
Active Exploitation of Fortinet FortiWeb Path Traversal Vulnerability (CVE-2025-64446)
A critical path traversal vulnerability in Fortinet FortiWeb, tracked as CVE-2025-64446, is being actively exploited in the wild. The flaw allows unauthenticated attackers to execute administrative commands on affected FortiWeb appliances by abusing the management API to reach internal endpoints. GreyNoise observed weaponization of this vulnerability within 72 hours of its disclosure, with coordinated scanning activity originating from multiple IPs and hosting providers, indicating a rapid and organized exploitation effort. The vulnerability affects FortiWeb versions 7.0 through 8.0, and exploit attempts have been detected using uniform TLS fingerprints, suggesting the use of automated tools. CISA added CVE-2025-64446 to its Known Exploited Vulnerabilities (KEV) catalog, mandating federal agencies to patch the flaw within a specified deadline. Another FortiWeb zero-day, CVE-2025-58034, was also disclosed and patched, but CVE-2025-64446 is noted as the more critical issue due to its unauthenticated attack vector and higher CVSS score. Security researchers emphasize the urgency of patching FortiWeb appliances to prevent unauthorized access and potential compromise, as exploitation is ongoing and targeting a broad range of organizations.
1 months ago