A zero-day path traversal vulnerability in Fortinet's FortiWeb web application firewall (WAF) is under active exploitation, posing a significant threat to organizations using the affected versions. This vulnerability, identified as CVE-2025-64446, allows unauthenticated attackers to execute administrative commands, potentially leading to full system compromise. Security researchers at Defused first reported the flaw on October 6, 2025, and reports of active attacks emerged by November 13, 2025. This article delves into the details of the vulnerability, its potential impact, and the necessary steps to mitigate the risk.
Introduction to FortiWeb and Path Traversal Vulnerabilities
Fortinet's FortiWeb is a web application firewall (WAF) designed to protect web applications from a variety of attacks, including SQL injection, cross-site scripting (XSS), and other common web vulnerabilities. A WAF acts as a s
A path traversal vulnerability, also known as directory traversal, is a security flaw that allows attackers to access files and directories outside of the intended web server root directory. By manipulating file paths in HTTP requests, attackers can potentially read sensitive files, execute arbitrary code, or even gain control of the server. The Common Weakness Enumeration (CWE) identifies this type of vulnerability as CWE-23.
Details of the Fortinet FortiWeb Zero-Day Flaw
The critical vulnerability, tracked as CVE-2025-64446, is a relative path traversal flaw affecting FortiWeb versions 7.0 through 8.0 prior to specific patches. According to Fortinet's advisory FG-IR-25-910, the vulnerability allows an unauthenticated attacker to execute administrative commands by sending crafted HTTP/HTTPS requests to specific endpoints, such as /api/v2.0/cmdb/system/admin%3f/../../../../../cgi-bin/fwbcgi.
The vulnerability resides in the FortiWeb's GUI, allowing attackers to create privileged admin accounts, bypassing authentication mechanisms. This can lead to full system compromise, as the attacker gains complete control over the WAF and the web applications it protects. The AHA bulletin highlights the severity of the issue, emphasizing the need for immediate action.
Defused's Discovery and Initial Report
Security researchers at Defused initially reported the path traversal flaw in FortiWeb on October 6, 2025. Their discovery triggered a series of investigations and responses from both Fortinet and the broader cybersecurity community. The early reporting of the vulnerability was crucial in alerting organizations to the potential threat and initiating the process of developing and deploying patches.
Potential Impact and Exploitation Scenarios
The potential impact of CVE-2025-64446 is severe. Successful exploitation allows attackers to:
- Create privileged admin accounts
- Bypass authentication
- Gain full control of the FortiWeb WAF
- Compromise web applications protected by the WAF
- Access sensitive data
- Disrupt web services
Exploitation scenarios include attackers scanning for vulnerable FortiWeb instances exposed to the internet and then sending crafted HTTP/HTTPS requests to create unauthorized administrator accounts. Once an attacker gains administrative access, they can modify WAF configurations, disable security features, and potentially pivot to attack the underlying web applications. Given that FortiWeb is often deployed at the network perimeter, a successful compromise can have far-reaching consequences.
Mitigation Strategies and Recommended Actions
To mitigate the risk posed by CVE-2025-64446, organizations should take the following actions immediately:
- Apply the Patch: Upgrade FortiWeb to a patched version. Fortinet has released fixes in versions 8.0.2, 7.6.5, 7.4.10, 7.2.12, and 7.0.12.
- Disable HTTP/HTTPS Access: As a temporary workaround, disable HTTP/HTTPS access on internet-facing management interfaces. This reduces the attack surface and prevents external attackers from directly targeting the vulnerable endpoints.
- Review Logs: Examine FortiWeb logs for any signs of unauthorized account creation or suspicious activity. Look for unusual login attempts or modifications to administrative settings.
- Implement a Virtual Patch: Consider using a virtual patching solution like the one released by CrowdSec to provide immediate mitigation while you plan and execute the upgrade.
- Restrict Access: Limit access to the FortiWeb management interface to trusted networks and administrators. Use strong authentication mechanisms, such as multi-factor authentication (MFA), to protect administrative accounts.
Fortinet's Response and Patch Availability
Fortinet has addressed the vulnerability with the release of patches for affected FortiWeb versions. The company issued an official advisory (FG-IR-25-910) on November 14, 2025, confirming in-the-wild exploitation. Patches are available for the following versions:
- FortiWeb 8.0.2
- FortiWeb 7.6.5
- FortiWeb 7.4.10
- FortiWeb 7.2.12
- FortiWeb 7.0.12
Fortinet's Product Security Incident Response Team (PSIRT) stated that "Fortinet has observed this to be exploited in the wild", underscoring the urgency of applying the patches. Organizations using vulnerable FortiWeb versions should prioritize upgrading to a patched version as soon as possible.
Broader Implications for Web Application Security
The exploitation of CVE-2025-64446 highlights the ongoing challenges in web application security and the importance of proactive vulnerability management. The fact that this is not the first FortiWeb exploit, with CVE-2025-25257 occurring in July 2025, emphasizes the need for continuous monitoring, patching, and security assessments.
The CrowdSec Network detected 60 distinct IPs probing for CVE-2025-64446 since October 2025. CrowdSec Intelligence also reported exploitation attempts starting on November 12, 2025, two days before public disclosure. This demonstrates that attackers are actively targeting this vulnerability, and organizations must remain vigilant.
The inclusion of CVE-2025-64446 in the CISA Known Exploited Vulnerabilities Catalog further underscores its significance. U.S. federal agencies are required to patch this vulnerability within specific deadlines, highlighting the critical nature of the threat.
The zero-day exploitation of the FortiWeb path traversal flaw serves as a stark reminder of the importance of maintaining a strong security posture. Organizations must prioritize patching vulnerabilities promptly, implementing robust security controls, and continuously monitoring their systems for suspicious activity. By taking these steps, they can significantly reduce their risk of falling victim to similar attacks.
Key Takeaways
- Fortinet FortiWeb's zero-day flaw poses a critical threat.
- Immediate patching is essential to prevent exploitation.
- Implementing strong security measures can mitigate risks.
FAQ
What is the Fortinet FortiWeb zero-day flaw?
The Fortinet FortiWeb zero-day flaw is a path traversal vulnerability identified as CVE-2025-64446, which allows attackers to execute administrative commands on affected systems.
How can I protect my systems from this vulnerability?
To protect your systems, apply the latest patches released by Fortinet, disable HTTP/HTTPS access on vulnerable interfaces, and implement strong authentication measures.
Why is this vulnerability significant?
This vulnerability is significant because it allows attackers to gain full control over the FortiWeb WAF, potentially compromising the security of web applications it protects.
Sources
- Automated Pipeline
- CVE-2025-64446: Critical Fortinet FortiWeb Path Traversal Vulnerability Actively Exploited
- Path confusion vulnerability in GUI - PSIRT | FortiGuard Labs
- CVE-2025-64446: FortiWeb Zero-Day Under Active Exploitation
- FortiWeb Path Traversal Exploit Actively Targeted
- CVE-2025-64446 Detail - NVD
- Source: hadrian.io
- Source: cve.org
