Latest Fortinet FortiWeb vulnerability: CVE-2025-64446 #
Fortinet has issued an advisory for a relative path traversal vulnerability affecting the GUI component of certain versions of their FortiWeb product. Successful exploitation allows a remote, unauthenticated adversary to execute administrative commands on the system via crafted HTTP or HTTPS requests. The vulnerability, designated CVE-2025-64446, is rated critical with a base CVSS score of 9.1.
There is evidence that this vulnerability is being actively exploited in the wild.
The following versions are affected
- FortiWeb 7.0 versions 7.0.0 through 7.0.11
- FortiWeb 7.2 versions 7.2.0 through 7.2.11
- FortiWeb 7.4 versions 7.4.0 through 7.4.9
- FortiWeb 7.6 versions 7.6.0 through 7.6.4
- FortiWeb 8.0 versions 8.0.0 through 8.0.1
What is Fortinet FortiWeb? #
Fortinet FortiWeb is a specialized Web Application Firewall (WAF) that protects web applications and APIs from known and unknown threats by inspecting HTTP traffic and enforcing security policies to block attacks.
What is the impact? #
Successful exploitation of the vulnerability would allow a remote unauthenticated adversary to gain administrative access to the system.
Are updates or workarounds available? #
Upgrade affected systems to the new versions
- FortiWeb 7.0 upgrade to version 7.0.12 or later
- FortiWeb 7.2 upgrade to version 7.2.12 or later
- FortiWeb 7.4 upgrade to version 7.4.10 or later
- FortiWeb 7.6 upgrade to version 7.6.5 or later
- FortiWeb 8.0 upgrade to version 8.0.2 or later
How to find potentially vulnerable systems with runZero #
From the Asset Inventory, use the following query to locate potentially impacted assets:
product:"Fortinet FortiWeb"July 2025: (CVE-2025-25257) #
Fortinet issued an advisory for a vulnerability affecting certain versions of their FortiWeb product. Due to improper neutralization of elements from the authentication header in HTTP requests, a pre-authentication SQL injection (pre-auth SQLi) vulnerability existed. Through a specially crafted HTTP or HTTPS request to the Fabric Connector API path /api/fabric/device/status, an unauthenticated adversary could execute unauthorized SQL code or commands.
The vulnerability, designated CVE-2025-25257, was rated critical with a base CVSS score of 9.6. Note that proof-of-concept (PoC) exploits existed for this vulnerability.
There was evidence that this vulnerability was being actively exploited in the wild.
The following versions were affected
- FortiWeb 7.6 versions 7.6.0 through 7.6.3
- FortiWeb 7.4 versions 7.4.0 through 7.4.7
- FortiWeb 7.2 versions 7.2.0 through 7.2.10
- FortiWeb 7.0 versions 7.0.0 through 7.0.10
What was the impact? #
Successful exploitation of these vulnerabilities would allow a remote unauthenticated adversary to execute arbitrary commands on the remote system, potentially including operating system commands with the privileges of the vulnerable process.
Were updates or workarounds available? #
In addition to disabling, or restricting access to the HTTP/HTTPS administrative interface, Fortinet recommended upgrading the following versions of affected products:
- FortiWeb 7.6 upgrade to version 7.6.4 or later
- FortiWeb 7.4 upgrade to version 7.4.8 or later
- FortiWeb 7.2 upgrade to version 7.2.11 or later
- FortiWeb 7.0 upgrade to version 7.0.11 or later
