Warning: Path Traversal Vulnerability in Fortinet FortiWeb - Patch Immediately!

    * Last update:  26/11/2025
   
    * Affected products:
  → FortiWeb 8.0 8.0.0 through 8.0.1
  → FortiWeb 7.6 7.6.0 through 7.6.4
  → FortiWeb 7.4 7.4.0 through 7.4.9
  → FortiWeb 7.2 7.2.0 through 7.2.11
  → FortiWeb 7.0 7.0.0 through 7.0.11

    * Type: Path traversal
 
    * CVE/CVSS:

• CVE-2025-64446: CVSS 9.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

Sources

Fortinet: - https://fortiguard.fortinet.com/psirt/FG-IR-25-910
CISA: - https://www.cisa.gov/news-events/alerts/2025/11/14/fortinet-releases-security-advisory-relative-path-traversal-vulnerability-affecting-fortiweb

Risks

A newly discovered relative path traversal vulnerability in Fortinet FortiWeb allows attackers to execute administrative commands through specially crafted HTTP or HTTPS requests.

Fortinet FortiWeb is an advanced web application firewall (WAF) solution used by enterprises to protect critical web services from attacks such as SQL injection, cross-site scripting (XSS), file inclusion, API abuse, and automated bot traffic. It plays a vital role in safeguarding application infrastructures, ensuring secure traffic handling, and enforcing robust security policies across distributed environments.

If exploited, this could lead to data breaches, system compromise, and operational downtime, impacting the confidentiality, integrity, and availability of critical business systems.

UPDATE: 26/11/2025
Threat actors are actively exploiting this vulnerability, on its own as well as in combination with CVE-2025-58034. Threat actors have been observed exploiting CVE-2025-64446 as an initial access vector and then chain CVE-2025-58034 to escalate privileges on a target system. These vulnerabilities chained together could lead to unauthenticated remote code execution against vulnerable FortiWeb products.

Description

A critical security vulnerability, CVE-2025-64446, has been identified in Fortinet FortiWeb across multiple major release branches. This flaw stems from a relative path traversal weakness that enables attackers to manipulate file paths within crafted HTTP or HTTPS requests.

When successfully exploited, this issue enables an unauthenticated attacker to execute administrative commands directly on the FortiWeb appliance, thereby gaining high-impact control over a core security component.

Fortinet has confirmed that this vulnerability is actively exploited in the wild, significantly elevating urgency for remediation.

Recommended Actions

Patch 
The Centre for Cybersecurity Belgium strongly recommends installing updates for vulnerable devices with the highest priority, after thorough testing.

When mitigation measures or workarounds are available, consider implementing these as soon as possible and wherever feasible until you have completed patching.

UPDATE: 26/11/2025
If you cannot immediately upgrade the affected systems, disable HTTP or HTTPS for internet-facing interfaces. Note: Limiting access to HTTP/HTTPS management interfaces to internal networks is a best practice that reduces, but does not eliminate, risk; upgrading the affected systems remains essential and is the only way to fully remediate this vulnerability.

After upgrading, review configuration and review logs for unexpected modifications or the addition of unauthorized administrator accounts.

Where vulnerabilities affect end of life devices, the Centre for Cybersecurity Belgium strongly encourages moving to a supported version.

Monitor/Detect 
The CCB recommends organizations upscale monitoring and detection capabilities to identify any related suspicious activity, ensuring a swift response in case of an intrusion.

In case of an intrusion, you can report an incident via: https://ccb.belgium.be/cert/report-incident.

While patching appliances or software to the newest version may provide safety from future exploitation, it does not remediate historic compromise.