CISA issues alert on Fortinet FortiWeb path traversal vulnerability

Fortinet FortiWeb Web Application Firewall (WAF) versions have a vulnerability related to relative path traversal that permits unauthorized execution of administrative commands through crafted Hypertext Transfer Protocol (HTTP) or HTTPS requests.

The affected FortiWeb versions include 8.0.0 through 8.0.1, 7.6.0 through 7.6.4, 7.4.0 through 7.4.9, 7.2.0 through 7.2.11, and 7.0.0 through 7.0.11. This issue, tracked as CVE-2025-64446, allows an unauthenticated malicious actor to trigger administrative command execution by sending specific HTTP or HTTPS requests exploiting a CWE-23 relative path traversal flaw.

Exploitation of this vulnerability can result in unauthorized administrative command execution on the target system.

Fortinet has released updates addressing this vulnerability. Users of FortiWeb 8.0 should upgrade to version 8.0.2 or later; FortiWeb 7.6 users to 7.6.5 or later; FortiWeb 7.4 users to 7.4.10 or later; FortiWeb 7.2 users to 7.2.12 or later; and FortiWeb 7.0 users to 7.0.12 or later. For environments where immediate upgrade is not feasible, disabling HTTP or HTTPS on internet-facing interfaces is recommended, though this measure does not fully eliminate the risk.

Organizations are advised to consult Fortinet’s official guidance and after applying updates, to audit configuration and logs for unexpected changes or unauthorized administrative account creations.

This vulnerability, CVE-2025-64446, was added to the Known Exploited Vulnerabilities (KEV) Catalog by CISA on November 14, 2025.