CVE-2025-64446

CVE-2025-64446 is a relative path traversal vulnerability (CWE-23) affecting Fortinet FortiWeb web application firewalls in multiple versions, specifically 8.0.0 through 8.0.1, 7.6.0 through 7.6.4, 7.4.0 through 7.4.9, 7.2.0 through 7.2.11, and 7.0.0 through 7.0.11. It enables attackers to execute administrative commands on the system by sending crafted HTTP or HTTPS requests. The vulnerability carries a CVSS v3.1 base score of 9.8 (Critical), reflecting its network accessibility (AV:N), low attack complexity (AC:L), lack of required privileges or user interaction (PR:N/UI:N), and high impact on confidentiality, integrity, and availability (C:H/I:H/A:H).

An unauthenticated attacker can exploit this vulnerability remotely over the network with minimal complexity, requiring no privileges or user interaction. Successful exploitation grants the ability to execute arbitrary administrative commands, potentially leading to full system compromise, including data exfiltration, modification, or disruption of the FortiWeb appliance.

Fortinet's PSIRT advisory (FG-IR-25-910) provides details on the issue and likely mitigation steps, such as applying patches for affected versions. Additional technical analysis appears in a GitHub repository from WatchTowr Labs focused on FortiWeb authentication bypass techniques.

This vulnerability is cataloged in CISA's Known Exploited Vulnerabilities list, indicating active real-world exploitation. Security practitioners should prioritize patching affected FortiWeb instances.