CVE-2025-64446
Description
Critical path traversal vulnerability in Fortinet FortiWeb (CVSS 9.8) allows unauthenticated remote administrative command execution. Actively exploited.
CPE
| Product | Version Start | Version End (excl.) | Status |
|---|---|---|---|
| fortiweb | 7.0.0 | 7.0.12 | vulnerable |
| fortiweb | 7.2.0 | 7.2.12 | vulnerable |
| fortiweb | 7.4.0 | 7.4.10 | vulnerable |
| fortiweb | 7.6.0 | 7.6.5 | vulnerable |
| fortiweb | 8.0.0 | 8.0.2 | vulnerable |
Related weakness (CWE)
Remediation plan
Apply official patches
Immediately update Fortinet FortiWeb to the latest secure firmware versions (8.0.2, 7.6.5, 7.4.10, 7.2.12, or 7.0.12) following the guidance in FortiGuard advisory FG-IR-25-910.
Update affected systems
Identify and upgrade all instances running vulnerable versions, including FortiWeb 8.0.0-8.0.1, 7.6.0-7.6.4, 7.4.0-7.4.9, 7.2.0-7.2.11, and 7.0.0-7.0.11.
Restrict access
Minimize the attack surface by restricting access to the FortiWeb management interface. Use firewall policies to ensure administrative ports are only accessible from trusted internal IP addresses or via a secure VPN.
Monitor for exploitation
Audit system logs for unauthorized administrative command execution and review web traffic for suspicious path traversal patterns, such as '../' sequences, in incoming HTTP/HTTPS requests.
Detection Guidance
To detect potential exploitation of CVE-2025-64446, security teams should scan web server logs for HTTP/HTTPS requests containing relative path traversal sequences (e.g., '../' or its URL-encoded variants) directed at management endpoints. Monitor for anomalous administrative activity, such as the creation of new accounts or unexpected configuration changes. Additionally, look for indicators of shell command execution originating from the FortiWeb process and implement IDS/IPS signatures specifically tuned for Fortinet path traversal vulnerabilities.