Fortinet FortiWeb Path Traversal Vulnerability Enabling Remote Command Execution
A critical path traversal vulnerability (CVE-2025-64446) has been identified in multiple versions of Fortinet FortiWeb, allowing unauthenticated attackers to execute administrative commands on affected systems via crafted HTTP or HTTPS requests. Fortinet has confirmed that this vulnerability is being actively exploited in the wild. The affected versions include FortiWeb 8.0.0 through 8.0.1, 7.6.0 through 7.6.4, 7.4.0 through 7.4.9, 7.2.0 through 7.2.11, and 7.0.0 through 7.0.11. The vulnerability is rated as critical, with a CVSS score of 9.1, and exploitation can lead to full administrative compromise of the device.
Fortinet recommends immediate upgrades to patched versions (8.0.2, 7.6.5, 7.4.10, 7.2.12, or 7.0.12 and above) and advises disabling HTTP/HTTPS on internet-facing interfaces as a temporary mitigation. Organizations are urged to review configurations and logs for unauthorized changes or the creation of new administrator accounts following remediation. The vulnerability is tracked as CVE-2025-64446 and is documented in both Fortinet's official advisory and public CVE feeds.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
3 events from the most recent confirmed update back to the earliest known activity.
Security researchers report active exploitation of CVE-2025-64446
By November 17, reporting from SC Media said attacks exploiting CVE-2025-64446 were underway in the wild, with watchTowr, PwnDefend, and Rapid7 observing intrusions. The bug was described as enabling path traversal and authentication bypass that could let attackers execute administrative commands and potentially fully compromise affected systems.
CISA alerts on FortiWeb vulnerability and urges remediation
CISA published an alert highlighting Fortinet's advisory for CVE-2025-64446, a relative path traversal vulnerability affecting FortiWeb products. The agency urged organizations to apply fixes or mitigations and set a November 21 remediation deadline for federal agencies.
Fortinet discloses CVE-2025-64446 in FortiWeb and issues advisory
Fortinet published security advisory FG-IR-25-910 for a relative path traversal/path confusion vulnerability in the FortiWeb GUI, tracked as CVE-2025-64446. The flaw affects multiple FortiWeb versions and Fortinet provided remediation guidance and workaround recommendations.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
6 references tracked. Mallory keeps watching after this page renders.
Attacks involving critical Fortinet FortiWeb bug underway
scworld.com
Open sourceKriittinen ja hyväksikäytetty haavoittuvuus Fortinet FortiWeb -tuotteessa | Traficom
kyberturvallisuuskeskus.fi
Open sourceKriittinen ja hyväksikäytetty haavoittuvuus Fortinet FortiWeb -tuotteessa | Traficom
kyberturvallisuuskeskus.fi
Open sourceCVE-2025-64446 - Fortinet FortiWeb Path Traversal Vulnerability
cvefeed.io
Open sourcePath confusion vulnerability in GUI
fortiguard.com
Open sourceFortinet Releases Security Advisory for Relative Path Traversal Vulnerability Affecting FortiWeb Products
cisa.gov
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Critical Path Traversal Vulnerability in Fortinet FortiWeb (CVE-2025-64446)
A critical vulnerability, CVE-2025-64446, has been identified in the GUI component of Fortinet FortiWeb, a web application firewall. This relative path traversal flaw allows remote, unauthenticated attackers to execute administrative commands on affected systems via crafted HTTP or HTTPS requests, potentially granting root access. The vulnerability affects FortiWeb versions 7.0.0 through 7.0.11, 7.2.0 through 7.2.11, 7.4.0 through 7.4.9, 7.6.0 through 7.6.4, and 8.0.0 through 8.0.1. Multiple sources confirm that this vulnerability is being actively exploited in the wild, and it has been added to CISA's Known Exploited Vulnerabilities catalog. Fortinet and cybersecurity authorities strongly urge organizations to upgrade to the latest patched versions: 7.0.12, 7.2.12, 7.4.10, 7.6.5, or 8.0.2 or later, depending on the affected release. Security advisories from both Fortinet and the Canadian Centre for Cyber Security emphasize the urgency of identifying and patching vulnerable systems immediately to mitigate the risk of compromise. Organizations are advised to use asset inventory tools to locate potentially impacted FortiWeb devices and apply the recommended updates without delay.
Mar 21, 2026
Fortinet FortiWeb Path Traversal Vulnerability CVE-2025-64446 Actively Exploited
A critical vulnerability, CVE-2025-64446, affecting Fortinet FortiWeb web application firewall devices has been actively exploited in the wild, prompting the Cybersecurity and Infrastructure Security Agency (CISA) to add it to its Known Exploited Vulnerabilities (KEV) catalog. The flaw, present in FortiWeb versions 8.0.0 through 8.0.1, 7.6.0 through 7.6.4, and earlier branches, allows unauthenticated remote attackers to bypass authentication and execute administrative commands via crafted HTTP or HTTPS requests. Attackers have leveraged this vulnerability to create unauthorized administrative accounts, such as "Testpoint" and "trader," enabling persistent and undetected access to affected systems. Fortinet has released patches in version 8.0.2 and equivalent updates, but exploitation continues against unpatched devices, exposing organizations to significant risk of compromise and data exposure. CISA's inclusion of CVE-2025-64446 in the KEV catalog underscores the urgency of remediation, especially for U.S. federal agencies, which have been mandated to patch vulnerable FortiWeb systems by November 21, 2025. The agency also strongly advises all organizations to prioritize remediation of this and other KEV-listed vulnerabilities to reduce exposure to active cyber threats. The vulnerability's exploitation highlights the ongoing risk posed by unpatched perimeter security devices and the importance of timely vulnerability management in defending against sophisticated attacks.
Mar 21, 2026
Active Exploitation of Fortinet FortiWeb Path Traversal Vulnerability (CVE-2025-64446)
A critical path traversal vulnerability in Fortinet FortiWeb, tracked as CVE-2025-64446, is being actively exploited in the wild. The flaw allows unauthenticated attackers to execute administrative commands on affected FortiWeb appliances by abusing the management API to reach internal endpoints. GreyNoise observed weaponization of this vulnerability within 72 hours of its disclosure, with coordinated scanning activity originating from multiple IPs and hosting providers, indicating a rapid and organized exploitation effort. The vulnerability affects FortiWeb versions 7.0 through 8.0, and exploit attempts have been detected using uniform TLS fingerprints, suggesting the use of automated tools. CISA added CVE-2025-64446 to its Known Exploited Vulnerabilities (KEV) catalog, mandating federal agencies to patch the flaw within a specified deadline. Another FortiWeb zero-day, CVE-2025-58034, was also disclosed and patched, but CVE-2025-64446 is noted as the more critical issue due to its unauthenticated attack vector and higher CVSS score. Security researchers emphasize the urgency of patching FortiWeb appliances to prevent unauthorized access and potential compromise, as exploitation is ongoing and targeting a broad range of organizations.
Mar 21, 2026