CISA issues alert on Fortinet FortiWeb relative path traversal vulnerability

Fortinet's FortiWeb Web Application Firewall (WAF) product includes a vulnerability that can permit unauthorized administrative command execution. This vulnerability affects multiple FortiWeb versions and arises from a relative path traversal issue exploitable through specific Hypertext Transfer Protocol (HTTP) or HTTPS requests.

The identified vulnerability, tracked as CVE-2025-64446, impacts FortiWeb versions 8.0.0 through 8.0.1, 7.6.0 through 7.6.4, 7.4.0 through 7.4.9, 7.2.0 through 7.2.11, and 7.0.0 through 7.0.11. This relative path traversal (CWE-23) can be triggered by an unauthenticated attacker issuing specially crafted requests via HTTP or HTTPS. The vulnerability permits execution of administrative commands on compromised systems through this attack vector.

The consequences of this vulnerability include unauthorized administrative control over affected FortiWeb devices, which may involve execution of system-level commands without authentication.

Fortinet has provided fixed versions to address this issue: upgrade 8.0.0 through 8.0.1 to version 8.0.2 or later; 7.6.0 through 7.6.4 to 7.6.5 or later; 7.4.0 through 7.4.9 to 7.4.10 or later; 7.2.0 through 7.2.11 to 7.2.12 or later; and 7.0.0 through 7.0.11 to 7.0.12 or later. If immediate upgrading is not possible, disabling HTTP and HTTPS services on internet-facing interfaces is recommended, though this measure reduces but does not eliminate risk. Post-upgrade, configurations and logs should be reviewed for unauthorized changes or administrative account activity.

CISA has incorporated CVE-2025-64446 into its Known Exploited Vulnerabilities (KEV) Catalog as of November 14, 2025. Organizations are advised to follow published vendor remediation guidelines and monitor their systems for anomalous behaviors related to this vulnerability.