Analysis Summary

Fortinet has issued an urgent advisory for a critical vulnerability (CVE-2025-64446) in its FortiWeb web application firewall (WAF) product, which is currently being exploited in the wild. The flaw originates from improper access control in the GUI, allowing unauthenticated attackers to execute administrative commands. Classified as a relative path traversal vulnerability (CWE-23), it enables attackers to craft malicious HTTP or HTTPS requests that bypass authentication and potentially seize complete control of affected systems.

Successful exploitation could result in the creation of unauthorized administrator accounts, giving attackers full access to device configurations, sensitive data, and administrative functions. Fortinet’s PSIRT confirmed that active exploitation is occurring, highlighting the severity of the threat. With a CVSS v3.1 base score of high, the vulnerability is rated “Critical” due to its high impact on confidentiality, integrity, and availability (C:H/I:H/A:H), and the fact that no privileges or user interaction are required for exploitation.

The flaw affects multiple FortiWeb versions across branches 8.0, 7.6, 7.4, 7.2, and 7.0, including specific builds such as 8.0.0–8.0.1, 7.6.0–7.6.4, 7.4.0–7.4.9, 7.2.0–7.2.11, and 7.0.0–7.0.11. Fortinet recommends upgrading to the latest patched versions: 8.0.2 or above, 7.6.5 or above, 7.4.10 or above, 7.2.12 or above, and 7.0.12 or above. Temporary mitigation includes disabling HTTP/HTTPS access on internet-facing interfaces, although this reduces exposure rather than fully eliminating the risk.

Organizations are strongly advised to audit configurations, review logs, and monitor for suspicious activity following upgrades, including unauthorized admin account creation or unexpected changes. The incident highlights the broader risks associated with critical network security appliances, which can themselves become vectors for attacks if vulnerabilities remain unpatched. The FortiWeb case underscores the importance of timely patch management and securing management interfaces to prevent attackers from pivoting into broader enterprise environments.

Impact

• Gain Access

Indicators of Compromise

CVE

• CVE-2025-64446

Affected Vendors

Remediation

• Upgrade immediately to patched FortiWeb versions.
• Disable HTTP/HTTPS access on internet-facing interfaces as a temporary mitigation until patches are applied.
• Restrict management access to internal networks or VPN-only connections to reduce exposure.
• Audit existing administrative accounts for unauthorized creation or modifications.
• Review device configurations and logs for signs of compromise or unusual access patterns.
• Monitor for suspicious activity such as unexpected privilege escalations, configuration changes, or new admin accounts.
• Implement strong access control and authentication on all administrative interfaces.
• Maintain timely patch management processes for all critical network security appliances.