Fortinet FortiWeb Path Traversal Vulnerability Under Zero-Day Exploitation

Security researchers have observed mass exploitation of CVE-2025-64446 in the wild.

Threat ID:: CC-4717
Threat Severity:: Medium
Published:: 14 November 2025 1:42 PM

Report a cyber attack: call 0300 303 5222 or email [email protected]

Summary

Security researchers have observed mass exploitation of CVE-2025-64446 in the wild.

Affected platforms

The following platforms are known to be affected:

Fortinet FortiWeb

8.0: all prior to 8.0.2
7.6: all prior to 7.6.5
7.4: all prior to 7.4.10
7.2: all prior to 7.2.12
7.0: all prior to 7.0.12

Threat details

Mass Exploitation of CVE-2025-64446 Observed

Security researchers at CERT Orange Cyberdefense have reported mass exploitation of CVE-2025-64446 in the Fortinet FortiWeb management console, with first exploitation observed in July 2025. The US Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2025-64446 to their Known Exploited Vulnerabilities (KEV) Catalog.

Researchers at watchTowr have also released a "detection artifact generator" that can easily be modified into a proof-of-concept exploit. The NHS England National CSOC assesses further exploitation as highly likely.

Introduction

Security researchers at PwnDefend and Defused have reported zero-day exploitation of a path traversal vulnerability that could allow a remote, unauthenticated attacker to bypass authentication in the management console of Fortinet FortiWeb appliances.

Fortinet has now published an advisory for CVE-2025-64446.

CVE-2025-64446 - "Relative Path Traversal" Vulnerability - CVSSv3 score: 9.1

Threat updates

Date	Update
21 Nov 2025	Confirmed affected versions in Affected Platforms.
17 Nov 2025	Fortinet advisory released. The following sections have been updated to reflect this change: Title updated to reflect Common Weakness Enumeration (CWE) for CVE-2025-64446 Affected versions of FortiWeb Exploitation details Introduction Remediation advice & steps

Date

Update

21 Nov 2025

Confirmed affected versions in Affected Platforms.

17 Nov 2025

Fortinet advisory released.

The following sections have been updated to reflect this change:

Title updated to reflect Common Weakness Enumeration (CWE) for CVE-2025-64446
Affected versions of FortiWeb
Exploitation details
Introduction
Remediation advice & steps

Remediation advice

Affected organisations are strongly encouraged to review Fortinet PSIRT advisory FG-IR-25-910 and follow the remediation steps detailed below.

Remediation steps

Type	Step
Patch	Affected organisations are strongly encouraged to update Fortinet FortiWeb to one of the following versions as soon as possible. Fixed versions: version 8.0.2 version 7.6.5 version 7.4.10 version 7.2.12 version 7.0.12 https://www.fortiguard.com/psirt/FG-IR-25-910
Guidance	Affected organisations are encouraged to restrict access to management consoles for network security appliances, including FortiWeb, to known, trusted access points. Organisations are strongly encouraged to disable access to the management console from the internet. https://www.fortiguard.com/psirt/FG-IR-25-910

Type

Step

Patch

Affected organisations are strongly encouraged to update Fortinet FortiWeb to one of the following versions as soon as possible.

Fixed versions:

version 8.0.2
version 7.6.5
version 7.4.10
version 7.2.12
version 7.0.12

https://www.fortiguard.com/psirt/FG-IR-25-910

Guidance

Affected organisations are encouraged to restrict access to management consoles for network security appliances, including FortiWeb, to known, trusted access points. Organisations are strongly encouraged to disable access to the management console from the internet.

https://www.fortiguard.com/psirt/FG-IR-25-910

Definitive source of threat updates

CVE Vulnerabilities

Status Published

CVE-2025-64446

A relative path traversal vulnerability in Fortinet FortiWeb 8.0.0 through 8.0.1, FortiWeb 7.6.0 through 7.6.4, FortiWeb 7.4.0 through 7.4.9, FortiWeb 7.2.0 through 7.2.11, FortiWeb 7.0.0 through 7.0.11 may allow an attacker to execute administrative commands on the system via crafted HTTP or HTTPS requests.

Last edited: 21 November 2025 11:47 am