The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a critical path traversal vulnerability in Fortinet’s FortiWeb Web Application Firewall (WAF) to its Known Exploited Vulnerabilities (KEV) catalog, confirming active exploitation that allows unauthenticated attackers to gain administrative access through crafted HTTP or HTTPS requests.
This flaw, tracked as CVE-2025-64446, poses severe risks to organizations relying on FortiWeb for web application protection, as attackers can execute unauthorized commands on the underlying system.
Fortinet disclosed the issue on November 14, 2025, urging immediate patching to versions 7.4.8 or 7.6.6 for affected builds up to 7.4.7 and 7.6.5.
Exploitation evidence emerged in October 2025, with security researchers detecting indiscriminate attacks via honeypots and network monitoring tools.
The vulnerability stems from improper handling of relative paths in requests, enabling traversal outside intended directories to access sensitive configuration files or execute admin-level operations without authentication.
Technical details reveal that attackers craft requests that target management interfaces, bypassing security checks and injecting paths such as “../../../” to reach root-level commands, potentially leading to whole device compromise.
Once inside, threat actors can turn off WAF rules, exfiltrate logs, or pivot to internal networks, amplifying risks in sectors such as finance and healthcare where FortiWeb secures customer-facing apps.
CISA’s inclusion in the KEV catalog mandates that federal agencies apply mitigations by November 21, 2025, under Binding Operational Directive 22-01, which emphasizes the flaw’s role as a common attack vector for ransomware and data breaches.
Private organizations face a similar urgency, as unpatched systems become easy targets for opportunistic hackers scanning the internet for exposed FortiWeb instances.
Fortinet’s advisory (FG-IR-25-910) confirms that there is no evidence of widespread customer data loss.
However, it highlights the need for network segmentation and VPN-restricted admin access to limit exposure.
Vulnerability Technical Breakdown
CVE-2025-64446 has a CVSS score of 9.1, classified as critical due to its high impact on confidentiality, integrity, and availability, and with low attack complexity that requires no privileges or user interaction.
The path traversal (CWE-23) occurs in the WAF’s request processing module, where insufficient input validation allows directory-traversal payloads to access protected endpoints, such as /sysadmin or configuration stores.
Proof-of-concept exploits shared by researchers in early October demonstrated the creation of rogue admin accounts, the alteration of firewall policies, and the deployment of backdoors via simple curl commands to exposed ports 443 or 80.
Affected versions include FortiWeb-VM 7.2.0 through 7.6.5, as well as hardware models running similar firmware, often deployed in cloud environments such as AWS or on-premises setups.
Detection involves monitoring logs for anomalous HTTP requests with traversal strings, such as repeated “../” sequences targeting admin paths, or unexpected admin account creations via FortiAnalyzer tools.
While Fortinet has not attributed attacks to specific groups, patterns suggest scanning by botnets and targeted probes in critical infrastructure.
Organizations should inventory FortiWeb deployments using tools such as Shodan for exposure checks and enable logging for all management traffic to detect post-exploitation activity.
Mitigation and Response Steps
Immediate upgrades to patched versions 7.4.8, 7.6.6, or 8.0.2 are essential, with Fortinet providing rollback guidance for complex environments to minimize downtime.
Interim mitigations include restricting WAF management interfaces to trusted IP ranges via ACLs and turning off unnecessary HTTP/HTTPS exposure on public-facing ports.
CISA recommends following BOD 22-01 for cloud instances, including continuous monitoring of access logs for signs of traversal attempts or unauthorized logins.
For recovery, scan affected systems with Fortinet’s FortiGuard services or third-party EDR tools to detect persistence mechanisms, such as modified configurations or injected scripts.
Broader lessons highlight the irony of WAFs being compromised, underscoring the need for zero-trust segmentation and regular vulnerability scans in security toolchains.
As exploitation continues, proactive patching remains the most vigorous defense against this and similar flaws in perimeter defenses.
 has added a critical path traversal vulnerability in Fortinet's FortiWeb Web){kind=link}