Skip to main content

CISA updates advisory on Fortinet FortiWeb vulnerabilities affecting remote code execution

November 28, 2025

Fortinet FortiWeb, a Web Application Firewall (WAF), is affected by two vulnerabilities that could allow unauthorized remote code execution. These security weaknesses pose risks to the affected FortiWeb versions by enabling attackers to perform actions including administrative command execution and privilege escalation.

The two vulnerabilities are identified as CVE-2025-64446 and CVE-2025-58034. CVE-2025-64446 impacts FortiWeb versions 8.0.0 through 8.0.1, 7.6.0 through 7.6.4, 7.4.0 through 7.4.9, 7.2.0 through 7.2.11, and 7.0.0 through 7.0.11. CVE-2025-58034 affects versions 8.0.0 through 8.0.1, 7.6.0 through 7.6.5, 7.4.0 through 7.4.10, 7.2.0 through 7.2.11, and 7.0.0 through 7.0.11. CVE-2025-64446 is classified as a Relative Path Traversal vulnerability (CWE-23), allowing unauthenticated attackers to execute administrative commands using specially crafted Hypertext Transfer Protocol (HTTP) or HTTPS requests. CVE-2025-58034 is an Operating System (OS) Command Injection vulnerability (CWE-78) permitting authenticated attackers to run unauthorized code through crafted HTTP requests or Command-Line Interface (CLI) commands.

Exploitation of these vulnerabilities can permit unauthorized remote code execution on FortiWeb systems. Threat actors may leverage CVE-2025-64446 for initial access and subsequently exploit CVE-2025-58034 to escalate privileges on the targeted device. The combined exploitation may lead to complete compromise of affected FortiWeb appliances.

Fortinet advises upgrading affected FortiWeb devices to the following versions to remediate these vulnerabilities: for FortiWeb 8.0, upgrade to 8.0.2 or later; for 7.6, upgrade to 7.6.5 or later for CVE-2025-64446 and 7.6.6 or later for CVE-2025-58034; for 7.4, upgrade to 7.4.10 or later for CVE-2025-64446 and 7.4.11 or later for CVE-2025-58034; for 7.2, upgrade to 7.2.12 or later; and for 7.0, upgrade to 7.0.12 or later. If immediate upgrades are not feasible, disabling HTTP or HTTPS access on internet-facing interfaces is recommended to reduce exposure, though this does not fully resolve the vulnerabilities. Post-upgrade, reviewing system configurations and logs for unauthorized changes is advised.

The vulnerabilities have been added to the Known Exploited Vulnerabilities (KEV) Catalog on November 14, 2025 (CVE-2025-64446) and November 18, 2025 (CVE-2025-58034). Organizations are encouraged to apply updates accordingly and monitor for anomalous behavior. Reporting incidents and unusual activity to CISA’s Operations Center is available.