Fortinet FortiWeb Path Traversal Vulnerability CVE-2025-64446 Actively Exploited
A critical vulnerability, CVE-2025-64446, affecting Fortinet FortiWeb web application firewall devices has been actively exploited in the wild, prompting the Cybersecurity and Infrastructure Security Agency (CISA) to add it to its Known Exploited Vulnerabilities (KEV) catalog. The flaw, present in FortiWeb versions 8.0.0 through 8.0.1, 7.6.0 through 7.6.4, and earlier branches, allows unauthenticated remote attackers to bypass authentication and execute administrative commands via crafted HTTP or HTTPS requests. Attackers have leveraged this vulnerability to create unauthorized administrative accounts, such as "Testpoint" and "trader," enabling persistent and undetected access to affected systems. Fortinet has released patches in version 8.0.2 and equivalent updates, but exploitation continues against unpatched devices, exposing organizations to significant risk of compromise and data exposure.
CISA's inclusion of CVE-2025-64446 in the KEV catalog underscores the urgency of remediation, especially for U.S. federal agencies, which have been mandated to patch vulnerable FortiWeb systems by November 21, 2025. The agency also strongly advises all organizations to prioritize remediation of this and other KEV-listed vulnerabilities to reduce exposure to active cyber threats. The vulnerability's exploitation highlights the ongoing risk posed by unpatched perimeter security devices and the importance of timely vulnerability management in defending against sophisticated attacks.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
1 event from the most recent confirmed update back to the earliest known activity.
CISA adds Fortinet FortiWeb CVE-2025-64446 to KEV catalog
CISA added CVE-2025-64446, a path traversal vulnerability affecting Fortinet FortiWeb, to its Known Exploited Vulnerabilities catalog after evidence of active exploitation. The agency said Federal Civilian Executive Branch agencies must remediate the flaw under BOD 22-01 by the specified due date and urged all organizations to prioritize patching.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
5 references tracked. Mallory keeps watching after this page renders.
U.S. CISA adds a new Fortinet FortiWeb flaw to its Known Exploited Vulnerabilities catalog
securityaffairs.com
Open sourceFortinet’s delayed alert on actively exploited defect put defenders at a disadvantage
cyberscoop.com
Open sourceCritical Fortinet FortiWeb Vulnerability CVE-2025-64446
thecyberthrone.in
Open sourceU.S. CISA adds Fortinet FortiWeb flaw to its Known Exploited Vulnerabilities catalog
securityaffairs.com
Open sourceCISA Adds One Known Exploited Vulnerability to Catalog
cisa.gov
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Active Exploitation of Fortinet FortiWeb Path Traversal Vulnerability (CVE-2025-64446)
A critical path traversal vulnerability in Fortinet FortiWeb, tracked as CVE-2025-64446, is being actively exploited in the wild. The flaw allows unauthenticated attackers to execute administrative commands on affected FortiWeb appliances by abusing the management API to reach internal endpoints. GreyNoise observed weaponization of this vulnerability within 72 hours of its disclosure, with coordinated scanning activity originating from multiple IPs and hosting providers, indicating a rapid and organized exploitation effort. The vulnerability affects FortiWeb versions 7.0 through 8.0, and exploit attempts have been detected using uniform TLS fingerprints, suggesting the use of automated tools. CISA added CVE-2025-64446 to its Known Exploited Vulnerabilities (KEV) catalog, mandating federal agencies to patch the flaw within a specified deadline. Another FortiWeb zero-day, CVE-2025-58034, was also disclosed and patched, but CVE-2025-64446 is noted as the more critical issue due to its unauthenticated attack vector and higher CVSS score. Security researchers emphasize the urgency of patching FortiWeb appliances to prevent unauthorized access and potential compromise, as exploitation is ongoing and targeting a broad range of organizations.
Mar 21, 2026
Critical Path Traversal Vulnerability in Fortinet FortiWeb (CVE-2025-64446)
A critical vulnerability, CVE-2025-64446, has been identified in the GUI component of Fortinet FortiWeb, a web application firewall. This relative path traversal flaw allows remote, unauthenticated attackers to execute administrative commands on affected systems via crafted HTTP or HTTPS requests, potentially granting root access. The vulnerability affects FortiWeb versions 7.0.0 through 7.0.11, 7.2.0 through 7.2.11, 7.4.0 through 7.4.9, 7.6.0 through 7.6.4, and 8.0.0 through 8.0.1. Multiple sources confirm that this vulnerability is being actively exploited in the wild, and it has been added to CISA's Known Exploited Vulnerabilities catalog. Fortinet and cybersecurity authorities strongly urge organizations to upgrade to the latest patched versions: 7.0.12, 7.2.12, 7.4.10, 7.6.5, or 8.0.2 or later, depending on the affected release. Security advisories from both Fortinet and the Canadian Centre for Cyber Security emphasize the urgency of identifying and patching vulnerable systems immediately to mitigate the risk of compromise. Organizations are advised to use asset inventory tools to locate potentially impacted FortiWeb devices and apply the recommended updates without delay.
Mar 21, 2026
Fortinet FortiWeb Path Traversal Vulnerability Enabling Remote Command Execution
A critical path traversal vulnerability (CVE-2025-64446) has been identified in multiple versions of Fortinet FortiWeb, allowing unauthenticated attackers to execute administrative commands on affected systems via crafted HTTP or HTTPS requests. Fortinet has confirmed that this vulnerability is being actively exploited in the wild. The affected versions include FortiWeb 8.0.0 through 8.0.1, 7.6.0 through 7.6.4, 7.4.0 through 7.4.9, 7.2.0 through 7.2.11, and 7.0.0 through 7.0.11. The vulnerability is rated as critical, with a CVSS score of 9.1, and exploitation can lead to full administrative compromise of the device. Fortinet recommends immediate upgrades to patched versions (8.0.2, 7.6.5, 7.4.10, 7.2.12, or 7.0.12 and above) and advises disabling HTTP/HTTPS on internet-facing interfaces as a temporary mitigation. Organizations are urged to review configurations and logs for unauthorized changes or the creation of new administrator accounts following remediation. The vulnerability is tracked as CVE-2025-64446 and is documented in both Fortinet's official advisory and public CVE feeds.
Apr 21, 2026