6 min read
By: RedLegg's Cyber Threat Intelligence Team
About:
RedLegg will occasionally communicate vulnerabilities released outside the usual release schedule to provide additional value to our customers. These emergency bulletins describe vulnerabilities or threats we classify as the highest severity level and warrant out-of-band emergency patching or mitigation action.
VULNERABILITIES
Relative Path Traversal Allowing Remote Administrative Commands in Fortinet FortiWeb
CVSS Score: 9.1 (Critical, CVSS v3.1)
Identifier: CVE-2025-64446
Exploit or Proof of Concept (PoC):
This vulnerability is confirmed to be exploited in the wild. Attackers have used crafted HTTP/HTTPS requests to abuse the path traversal flaw, gain unauthorized administrative access, and create new admin accounts on FortiWeb appliances. Public exploit tools and PoC-style scripts targeting vulnerable firmware versions have been released.
Update:
Fortinet has released patches across all affected FortiWeb firmware branches. Full remediation guidance, fixed versions, and firmware downloads are available in the official PSIRT advisory:
Affected versions and required updates:
- FortiWeb 8.0.0 through 8.0.1 → upgrade to 8.0.2 or later
- FortiWeb 7.6.0 through 7.6.4 → upgrade to 7.6.5 or later
- FortiWeb 7.4.0 through 7.4.9 → upgrade to 7.4.10 or later
- FortiWeb 7.2.0 through 7.2.11 → upgrade to 7.2.12 or later
- FortiWeb 7.0.0 through 7.0.11 → upgrade to 7.0.12 or later
Administrators must validate their exact firmware track and deploy the corrected update immediately.
Description:
CVE-2025-64446 is a relative path traversal vulnerability in Fortinet FortiWeb that enables an unauthenticated remote attacker to manipulate file paths within HTTP or HTTPS requests and gain unauthorized administrative access. When exploited, the attacker can execute privileged administrative commands, create new admin users, disable or alter WAF protections, intercept and manipulate application traffic, and potentially pivot deeper into internal networks.
Mitigation Recommendation:
Identify all FortiWeb appliances deployed in your environment, including physical, virtual, and cloud editions, and determine exposure level (especially internet-facing devices).
Apply the Fortinet firmware fixes listed in PSIRT advisory FG-IR-25-910 immediately.
If patching cannot be performed immediately, restrict or block management interface access from untrusted networks. Allow management only from isolated administrative networks.
