Critical Path Traversal Vulnerability in Fortinet FortiWeb (CVE-2025-64446)
A critical vulnerability, CVE-2025-64446, has been identified in the GUI component of Fortinet FortiWeb, a web application firewall. This relative path traversal flaw allows remote, unauthenticated attackers to execute administrative commands on affected systems via crafted HTTP or HTTPS requests, potentially granting root access. The vulnerability affects FortiWeb versions 7.0.0 through 7.0.11, 7.2.0 through 7.2.11, 7.4.0 through 7.4.9, 7.6.0 through 7.6.4, and 8.0.0 through 8.0.1. Multiple sources confirm that this vulnerability is being actively exploited in the wild, and it has been added to CISA's Known Exploited Vulnerabilities catalog.
Fortinet and cybersecurity authorities strongly urge organizations to upgrade to the latest patched versions: 7.0.12, 7.2.12, 7.4.10, 7.6.5, or 8.0.2 or later, depending on the affected release. Security advisories from both Fortinet and the Canadian Centre for Cyber Security emphasize the urgency of identifying and patching vulnerable systems immediately to mitigate the risk of compromise. Organizations are advised to use asset inventory tools to locate potentially impacted FortiWeb devices and apply the recommended updates without delay.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
4 events from the most recent confirmed update back to the earliest known activity.
Canadian Centre for Cyber Security issues Fortinet alerts
The Canadian Centre for Cyber Security published advisory AV25-758 and alert AL25-017 covering the Fortinet FortiWeb vulnerability CVE-2025-64446. The publications signaled official government awareness and guidance related to the issue.
Active exploitation and PoC availability reported for FortiWeb bugs
Reporting indicated there was evidence of in-the-wild exploitation for both CVE-2025-64446 and CVE-2025-25257. Public proof-of-concept exploit code was also noted for CVE-2025-25257, increasing remediation urgency.
Fortinet releases patches and mitigation guidance for FortiWeb flaws
Fortinet released fixes for affected FortiWeb versions and advised organizations to upgrade immediately. It also recommended restricting or disabling access to the administrative interface as a mitigation step.
Fortinet discloses two critical FortiWeb vulnerabilities
Fortinet disclosed CVE-2025-64446, a GUI relative path traversal flaw, and CVE-2025-25257, a pre-authentication SQL injection in the Fabric Connector API, both affecting multiple FortiWeb versions. The flaws allow remote unauthenticated attackers to execute administrative or arbitrary commands via crafted HTTP or HTTPS requests.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
3 references tracked. Mallory keeps watching after this page renders.
See the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Fortinet FortiWeb Path Traversal Vulnerability Enabling Remote Command Execution
A critical path traversal vulnerability (CVE-2025-64446) has been identified in multiple versions of Fortinet FortiWeb, allowing unauthenticated attackers to execute administrative commands on affected systems via crafted HTTP or HTTPS requests. Fortinet has confirmed that this vulnerability is being actively exploited in the wild. The affected versions include FortiWeb 8.0.0 through 8.0.1, 7.6.0 through 7.6.4, 7.4.0 through 7.4.9, 7.2.0 through 7.2.11, and 7.0.0 through 7.0.11. The vulnerability is rated as critical, with a CVSS score of 9.1, and exploitation can lead to full administrative compromise of the device. Fortinet recommends immediate upgrades to patched versions (8.0.2, 7.6.5, 7.4.10, 7.2.12, or 7.0.12 and above) and advises disabling HTTP/HTTPS on internet-facing interfaces as a temporary mitigation. Organizations are urged to review configurations and logs for unauthorized changes or the creation of new administrator accounts following remediation. The vulnerability is tracked as CVE-2025-64446 and is documented in both Fortinet's official advisory and public CVE feeds.
Apr 21, 2026
Fortinet FortiWeb Path Traversal Vulnerability CVE-2025-64446 Actively Exploited
A critical vulnerability, CVE-2025-64446, affecting Fortinet FortiWeb web application firewall devices has been actively exploited in the wild, prompting the Cybersecurity and Infrastructure Security Agency (CISA) to add it to its Known Exploited Vulnerabilities (KEV) catalog. The flaw, present in FortiWeb versions 8.0.0 through 8.0.1, 7.6.0 through 7.6.4, and earlier branches, allows unauthenticated remote attackers to bypass authentication and execute administrative commands via crafted HTTP or HTTPS requests. Attackers have leveraged this vulnerability to create unauthorized administrative accounts, such as "Testpoint" and "trader," enabling persistent and undetected access to affected systems. Fortinet has released patches in version 8.0.2 and equivalent updates, but exploitation continues against unpatched devices, exposing organizations to significant risk of compromise and data exposure. CISA's inclusion of CVE-2025-64446 in the KEV catalog underscores the urgency of remediation, especially for U.S. federal agencies, which have been mandated to patch vulnerable FortiWeb systems by November 21, 2025. The agency also strongly advises all organizations to prioritize remediation of this and other KEV-listed vulnerabilities to reduce exposure to active cyber threats. The vulnerability's exploitation highlights the ongoing risk posed by unpatched perimeter security devices and the importance of timely vulnerability management in defending against sophisticated attacks.
Mar 21, 2026
Active Exploitation of Fortinet FortiWeb Path Traversal Vulnerability (CVE-2025-64446)
A critical path traversal vulnerability in Fortinet FortiWeb, tracked as CVE-2025-64446, is being actively exploited in the wild. The flaw allows unauthenticated attackers to execute administrative commands on affected FortiWeb appliances by abusing the management API to reach internal endpoints. GreyNoise observed weaponization of this vulnerability within 72 hours of its disclosure, with coordinated scanning activity originating from multiple IPs and hosting providers, indicating a rapid and organized exploitation effort. The vulnerability affects FortiWeb versions 7.0 through 8.0, and exploit attempts have been detected using uniform TLS fingerprints, suggesting the use of automated tools. CISA added CVE-2025-64446 to its Known Exploited Vulnerabilities (KEV) catalog, mandating federal agencies to patch the flaw within a specified deadline. Another FortiWeb zero-day, CVE-2025-58034, was also disclosed and patched, but CVE-2025-64446 is noted as the more critical issue due to its unauthenticated attack vector and higher CVSS score. Security researchers emphasize the urgency of patching FortiWeb appliances to prevent unauthorized access and potential compromise, as exploitation is ongoing and targeting a broad range of organizations.
Mar 21, 2026