Fortinet FortiWeb Path Traversal Vulnerability CVE-2025-64446 Actively Exploited
A critical vulnerability, CVE-2025-64446, affecting Fortinet FortiWeb web application firewall devices has been actively exploited in the wild, prompting the Cybersecurity and Infrastructure Security Agency (CISA) to add it to its Known Exploited Vulnerabilities (KEV) catalog. The flaw, present in FortiWeb versions 8.0.0 through 8.0.1, 7.6.0 through 7.6.4, and earlier branches, allows unauthenticated remote attackers to bypass authentication and execute administrative commands via crafted HTTP or HTTPS requests. Attackers have leveraged this vulnerability to create unauthorized administrative accounts, such as "Testpoint" and "trader," enabling persistent and undetected access to affected systems. Fortinet has released patches in version 8.0.2 and equivalent updates, but exploitation continues against unpatched devices, exposing organizations to significant risk of compromise and data exposure.
CISA's inclusion of CVE-2025-64446 in the KEV catalog underscores the urgency of remediation, especially for U.S. federal agencies, which have been mandated to patch vulnerable FortiWeb systems by November 21, 2025. The agency also strongly advises all organizations to prioritize remediation of this and other KEV-listed vulnerabilities to reduce exposure to active cyber threats. The vulnerability's exploitation highlights the ongoing risk posed by unpatched perimeter security devices and the importance of timely vulnerability management in defending against sophisticated attacks.
Sources
Related Stories
Active Exploitation of Fortinet FortiWeb Path Traversal Vulnerability (CVE-2025-64446)
A critical path traversal vulnerability in Fortinet FortiWeb, tracked as CVE-2025-64446, is being actively exploited in the wild. The flaw allows unauthenticated attackers to execute administrative commands on affected FortiWeb appliances by abusing the management API to reach internal endpoints. GreyNoise observed weaponization of this vulnerability within 72 hours of its disclosure, with coordinated scanning activity originating from multiple IPs and hosting providers, indicating a rapid and organized exploitation effort. The vulnerability affects FortiWeb versions 7.0 through 8.0, and exploit attempts have been detected using uniform TLS fingerprints, suggesting the use of automated tools. CISA added CVE-2025-64446 to its Known Exploited Vulnerabilities (KEV) catalog, mandating federal agencies to patch the flaw within a specified deadline. Another FortiWeb zero-day, CVE-2025-58034, was also disclosed and patched, but CVE-2025-64446 is noted as the more critical issue due to its unauthenticated attack vector and higher CVSS score. Security researchers emphasize the urgency of patching FortiWeb appliances to prevent unauthorized access and potential compromise, as exploitation is ongoing and targeting a broad range of organizations.
3 months agoCritical Path Traversal Vulnerability in Fortinet FortiWeb (CVE-2025-64446)
A critical vulnerability, CVE-2025-64446, has been identified in the GUI component of Fortinet FortiWeb, a web application firewall. This relative path traversal flaw allows remote, unauthenticated attackers to execute administrative commands on affected systems via crafted HTTP or HTTPS requests, potentially granting root access. The vulnerability affects FortiWeb versions 7.0.0 through 7.0.11, 7.2.0 through 7.2.11, 7.4.0 through 7.4.9, 7.6.0 through 7.6.4, and 8.0.0 through 8.0.1. Multiple sources confirm that this vulnerability is being actively exploited in the wild, and it has been added to CISA's Known Exploited Vulnerabilities catalog. Fortinet and cybersecurity authorities strongly urge organizations to upgrade to the latest patched versions: 7.0.12, 7.2.12, 7.4.10, 7.6.5, or 8.0.2 or later, depending on the affected release. Security advisories from both Fortinet and the Canadian Centre for Cyber Security emphasize the urgency of identifying and patching vulnerable systems immediately to mitigate the risk of compromise. Organizations are advised to use asset inventory tools to locate potentially impacted FortiWeb devices and apply the recommended updates without delay.
4 months agoFortinet FortiWeb Path Traversal Vulnerability Enabling Remote Command Execution
A critical path traversal vulnerability (CVE-2025-64446) has been identified in multiple versions of Fortinet FortiWeb, allowing unauthenticated attackers to execute administrative commands on affected systems via crafted HTTP or HTTPS requests. Fortinet has confirmed that this vulnerability is being actively exploited in the wild. The affected versions include FortiWeb 8.0.0 through 8.0.1, 7.6.0 through 7.6.4, 7.4.0 through 7.4.9, 7.2.0 through 7.2.11, and 7.0.0 through 7.0.11. The vulnerability is rated as critical, with a CVSS score of 9.1, and exploitation can lead to full administrative compromise of the device. Fortinet recommends immediate upgrades to patched versions (8.0.2, 7.6.5, 7.4.10, 7.2.12, or 7.0.12 and above) and advises disabling HTTP/HTTPS on internet-facing interfaces as a temporary mitigation. Organizations are urged to review configurations and logs for unauthorized changes or the creation of new administrator accounts following remediation. The vulnerability is tracked as CVE-2025-64446 and is documented in both Fortinet's official advisory and public CVE feeds.
4 months ago