CVE-2025-64446: FortiWeb Path Traversal Under Attack

CVE ID: CVE-2025-64446

Severity: CRITICAL | CVSS: 9.8

Sources: 3 different security sources

Status: ACTIVELY EXPLOITED - Added to CISA KEV Catalog

Let Me Explain What Happened

Sit down for a moment, because we need to talk about something serious happening right now. Fortinet's FortiWeb—a web application firewall that many organizations rely on to protect their systems—has a critical vulnerability that attackers are actively exploiting in the wild. Think of it like this: you installed a high-security lock on your front door, but it turns out there's a design flaw that lets someone walk right through if they know the trick. That's essentially what's happening here, and CISA has confirmed that attackers are already using this vulnerability against real targets.

The vulnerability, tracked as CVE-2025-64446, allows an attacker to execute administrative commands on your FortiWeb system without needing any credentials whatsoever. They don't need a username, they don't need a password—they just need to send specially crafted web requests to your device. This is about as serious as it gets, which is why it earned a CVSS score of 9.8 out of 10.

A Bit More Detail

The technical term for this vulnerability is a "relative path traversal" issue, catalogued under CWE-23. What does that mean in practical terms? Well, path traversal vulnerabilities occur when an application doesn't properly validate file paths that users provide. Attackers can manipulate these paths—using tricks like "../" sequences—to access files and directories they shouldn't be able to reach. In this case, the vulnerability goes beyond just reading files; it actually allows attackers to execute administrative commands on the underlying system.

This affects a wide range of FortiWeb versions spanning multiple major releases, from version 7.0 all the way through 8.0.1. If you're running FortiWeb in your environment, there's a very good chance you're affected unless you've applied recent patches.

The Technical Specifics

• Attack Vector: Network (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
• Attack Complexity: Low - No special conditions required
• Privileges Required: None - Completely unauthenticated
• User Interaction: None - Fully automated exploitation possible
• Impact: Complete compromise - High confidentiality, integrity, and availability impact
• CWE Classification: CWE-23 (Relative Path Traversal)
• Affected Products:
  • FortiWeb 8.0.0 through 8.0.1
  • FortiWeb 7.6.0 through 7.6.4
  • FortiWeb 7.4.0 through 7.4.9
  • FortiWeb 7.2.0 through 7.2.11
  • FortiWeb 7.0.0 through 7.0.11
• Exploitation Status: Actively exploited in the wild (confirmed by CISA KEV)
• Public Exploit Code: Available on GitHub (watchtowrlabs/watchTowr-vs-Fortiweb-AuthBypass)

Why This Matters So Much

Let me put this in perspective for you. Fortinet vulnerabilities have become a favorite target for sophisticated threat actors over the past few years. According to the research I've reviewed, there are currently 23 different Fortinet CVEs on CISA's Known Exploited Vulnerabilities catalog. That's not a coincidence—it's a pattern. Nation-state actors, ransomware groups, and other malicious actors have learned that Fortinet devices often sit at the perimeter of networks, making them high-value targets for initial access.

When CISA adds a vulnerability to their KEV catalog, it means they have credible evidence that attackers are actively using it in real-world attacks. This isn't theoretical—this is happening right now. The fact that exploit code has also been published on GitHub means that even less sophisticated attackers can now leverage this vulnerability. The window for safe remediation is closing rapidly.

What You Should Do About This

Here's my guidance, broken down into immediate actions and longer-term steps:

• Right Now (Emergency Response):
  • Identify all FortiWeb instances: You need to know where these devices are deployed in your environment. Check your asset inventory, scan your network, and make absolutely certain you haven't missed any.
  • Check your versions: Log into each FortiWeb device and verify which version you're running. If it falls within the affected ranges listed above, assume you're vulnerable.
  • Review logs immediately: Look for unusual HTTP/HTTPS requests, especially those containing path traversal patterns like "../" or attempts to access administrative functions. Check for unexpected administrative command executions.
  • Implement network segmentation: If you can't patch immediately, restrict access to FortiWeb management interfaces to only trusted IP addresses. This won't eliminate the risk entirely, but it reduces your attack surface.
  • Consider temporary isolation: For Federal agencies and organizations subject to BOD 22-01, CISA's guidance is clear: apply mitigations per vendor instructions or disconnect affected devices until patching is complete.
• For the Long Term (Remediation):
  • Apply vendor patches: Fortinet has released security updates to address this vulnerability. Visit the official Fortinet PSIRT advisory (FG-IR-25-910) for specific patch versions and upgrade instructions for your release branch.
  • Test before deploying: I know there's pressure to patch quickly, but test the updates in a non-production environment first if at all possible. Web application firewalls are critical infrastructure, and you want to ensure the patch doesn't introduce operational issues.
  • Verify the patch: After applying updates, confirm that you're running a non-vulnerable version and that the device is functioning correctly.
  • Hunt for compromise indicators: Even after patching, you need to investigate whether attackers already exploited this vulnerability in your environment. Look for signs of unauthorized access, configuration changes, or lateral movement from FortiWeb devices.
  • Implement defense in depth: Don't rely solely on FortiWeb being patched. Ensure you have additional security controls, monitoring, and logging in place to detect and respond to compromise attempts.

Detection and Hunting Guidance

If you're a security analyst or threat hunter, here are some specific things to look for:

• Web server logs: Search for HTTP/HTTPS requests containing path traversal sequences ("../", "..%2f", encoded variants) targeting FortiWeb management interfaces.
• Administrative command execution: Look for unexpected administrative commands being executed, especially those that wouldn't align with normal maintenance windows or authorized administrator activity.
• Authentication anomalies: Since this vulnerability allows unauthenticated access, look for administrative actions that occurred without corresponding authentication events.
• Network connections: Monitor for unusual outbound connections from FortiWeb devices, which could indicate command-and-control communication or data exfiltration.
• Configuration changes: Review FortiWeb configuration history for unauthorized modifications, especially changes to security policies, user accounts, or network settings.

Understanding the Broader Context

This vulnerability fits into a concerning pattern we've seen with edge security devices. When you map this to the MITRE ATT&CK framework, we're looking at several techniques:

• T1190 - Exploit Public-Facing Application: The initial access vector, exploiting an internet-accessible FortiWeb device.
• T1078 - Valid Accounts: By executing administrative commands, attackers can create their own valid accounts for persistence.
• T1562.001 - Impair Defenses: Disable or Modify Tools: With administrative access to a web application firewall, attackers can disable security controls and modify detection rules.
• T1083 - File and Directory Discovery: The path traversal nature of the vulnerability enables reconnaissance of the file system.

The publication of exploit code on GitHub by WatchTowr Labs serves an important purpose in the security community—it allows defenders to understand the attack mechanics and test their defenses. However, it also means that the barrier to exploitation has been significantly lowered. You don't need to be a sophisticated threat actor anymore to leverage this vulnerability.

A Word of Encouragement

I know this feels overwhelming, especially if you're managing a large environment with multiple FortiWeb deployments. Take a deep breath. You've got this. The fact that you're reading this and taking the threat seriously already puts you ahead of many organizations. Prioritize your response based on risk: internet-facing devices first, then work your way through your inventory systematically.

Remember that security is a continuous process, not a destination. Even after you've patched this vulnerability, maintain vigilance. Keep your systems updated, monitor your logs, and stay informed about emerging threats. The security community is here to help, and vendors like Fortinet do release patches—you just need to apply them promptly.

Where I Found This Information

• National Vulnerability Database - CVE-2025-64446 (Credibility: 10)
• Fortinet PSIRT Advisory FG-IR-25-910 (Credibility: 10)
• CISA Known Exploited Vulnerabilities Catalog (Credibility: 10)
• WatchTowr Labs - Exploit Code Repository (Credibility: 8)
• Tenable Blog - Fortinet Vulnerability Context (Credibility: 8)

Note: This analysis is based on authoritative sources including NVD, CISA, and Fortinet's official security advisories. The vulnerability is confirmed to be actively exploited. Always test security updates in a controlled environment before deploying to production systems, but given the active exploitation status, prioritize rapid remediation. If you're subject to CISA BOD 22-01 requirements, follow the mandatory timelines for patching Known Exploited Vulnerabilities.