CVE-2025-64446

Published Nov 14, 2025

Last updated 3 months ago

Exploit knownCVSS critical 9.8
Fortinet
FortiWeb

Overview

AI description

Automated description summarized from trusted sources.

CVE-2025-64446 is a relative path traversal vulnerability affecting Fortinet FortiWeb versions 8.0.0 through 8.0.1, 7.6.0 through 7.6.4, 7.4.0 through 7.4.9, 7.2.0 through 7.2.11, and 7.0.0 through 7.0.11. It can be exploited by sending crafted HTTP or HTTPS requests. This vulnerability allows remote, unauthenticated attackers to gain administrative access to the web application firewall appliances. Specifically, the vulnerability can be exploited by sending an HTTP POST request to `/api/v2.0/cmdb/system/admin%3f/../../../../../cgi-bin/fwbcgi` with a payload designed to create an administrative account. Successful exploitation allows an attacker with no prior access to gain administrator-level access to the FortiWeb Manager panel and websocket command-line interface.

Description
A relative path traversal vulnerability in Fortinet FortiWeb 8.0.0 through 8.0.1, FortiWeb 7.6.0 through 7.6.4, FortiWeb 7.4.0 through 7.4.9, FortiWeb 7.2.0 through 7.2.11, FortiWeb 7.0.0 through 7.0.11 may allow an attacker to execute administrative commands on the system via crafted HTTP or HTTPS requests.
Source
psirt@fortinet.com
NVD status
Analyzed
Products
fortiweb

Insights

Analysis from the Intruder Security Team
Published Nov 14, 2025 Updated Nov 16, 2025

This exploit was picked up by Defused as early as October 2nd where it was thought to be a variant of CVE-2022-40684. However, Fortinet have confirmed that this is a new vulnerability and have assigned this CVE to the vulnerability. This vulnerability takes advantage of both a path traversal (/api/v2.0/cmdb/system/admin%3f/../../../../../cgi-bin/fwbcgi) and an auth bypass via the cookie CGIINFO.

Fortinet offer little information within their disclosure, and until today there was no patching information as mentioned within watchTowr's article. The infosec community has collated some IOC's which can be found here. This vulnerability has been actively exploited to create a new administrative user, any instances of Fortiweb that have exposed the web GUI to the internet should be considered compromised.

Risk scores

CVSS 3.1

Type
Secondary
Base score
9.8
Impact score
5.9
Exploitability score
3.9
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Severity
CRITICAL

Known exploits

Data from CISA

Vulnerability name
Fortinet FortiWeb Path Traversal Vulnerability
Exploit added on
Nov 14, 2025
Exploit action due
Nov 21, 2025
Required action
Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

Weaknesses

psirt@fortinet.com
CWE-23

Social media

Hype score is a measure of social media activity compared against trending CVEs from the past 12 months. Max score 100.

Hype score

17

  1. 🚩 Vibe coding + FortiWeb exploitation platform (CVE-2025-64446 ⛓️ CVE-2025-58034) + C2 server (?) + #opendir (now off) 💀🤷🏻‍♂️ Dm : https://t.co/vmiP9bobnI on telegram to learn Join my channel: https://t.co/SkhyKbfZw4 https://t.co/llKjXQv5LA

    @EthicalHackerxz

    19 Feb 2026

    1 Impression

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  2. 🚩 Vibe coding + FortiWeb exploitation platform (CVE-2025-64446 ⛓️ CVE-2025-58034) + C2 server (?) + #opendir (now off) 💀🤷🏻‍♂️ https://t.co/SUjGlZfpVZ

    @1ZRR4H

    18 Feb 2026

    13182 Impressions

    26 Retweets

    124 Likes

    57 Bookmarks

    7 Replies

    1 Quote

  3. The following vulnerabilities have been added to our feed: - CVE-2025-64446: Fortinet Fortiweb Command Injection RCE - CVE-2025-62221: Microsoft Cloud Files Mini Filter Driver UAF LPE - CVE-2025-26666: Windows Media Heap-based Buffer Overflow DoS https://t.co/Nw6eZdt4CA

    @crowdfense

    12 Feb 2026

    602 Impressions

    0 Retweets

    4 Likes

    5 Bookmarks

    0 Replies

    0 Quotes

  4. Monitor CVE-2025-64446 exploit attempts with honeypots. Stay vigilant to protect your systems. #CISO #CyberSecurity https://t.co/MjGtkvzw2K

    @breachwire_io

    11 Feb 2026

    48 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  5. New RaaS group “Sicarii” uses Israeli & Jewish iconography - but researchers say it’s likely deceptive branding. • Geo-fenced execution • CVE-2025-64446 exploitation • Data theft + destructive ransomware What’s your take on attribution-by-branding? #Ransomware #

    @TechNadu

    15 Jan 2026

    75 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

  6. 🚨 Active exploitation detected 📦 Product: FortiWeb 🆔 Vuln: CVE-2025-64446 A path traversal vulnerability allows an unauthenticated attacker to execute administrative commands via crafted HTTP or HTTPS requests. ⚠️ Mitigation: Apply security patches immediately.

    @XavSecOps

    13 Jan 2026

    67 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

  7. Python & Kaspersky NDR Hardening for CVE-2025-64446 Read the full report on - https://t.co/em1qCsIZ14 https://t.co/pY0M09IpCI

    @cyberbivash

    5 Jan 2026

    3 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  8. Fortinet FortiWeb の脆弱性 CVE-2025-64446:管理者アカウントを狙う攻撃を観測 https://t.co/sVPReS3obI この問題の原因は、管理画面のエンドポイントにおいて、入力されたファイルパスを正しく制限できない、パス・トラ

    @iototsecnews

    5 Jan 2026

    35 Impressions

    1 Retweet

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  9. ⚠️We are observing elevated Fortinet exploit activity from various TOR exit nodes The exploit traffic is a mix of recent exploits like CVE-2025-64446 and credential stuffing attempts using legitimate-looking credentials Associated IP addresses 199.195.253.180 204.8.96.179

    @DefusedCyber

    2 Jan 2026

    11202 Impressions

    18 Retweets

    110 Likes

    36 Bookmarks

    2 Replies

    2 Quotes

  10. 🔔 Update: Fortinet has assigned CVE-2025-64446 (CVSS 9.1) — a path traversal flaw letting attackers run admin commands via crafted HTTP/S requests. CISA added it to KEV — deadline: Nov 21. Exploited in the wild. https://t.co/eif7UQsvBk

    @CarterJames6660

    22 Dec 2025

    0 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  11. Fortinet reportó dos fallas críticas en FortiWeb: CVE-2025-64446, un Relative Path Traversal que permite ejecutar comandos vía HTTP/HTTPS, y la vulnerabilidad CVE-2025-58034. Mas información: https://t.co/jr8OYpTM9v #PorUnEcuadorCiberseguro @Arcotel_ec @CsirtCEDIA @CsirtEPN

    @EcuCERT_EC

    4 Dec 2025

    8 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  12. FortiWeb alert: two exploited flaws, path traversal (CVE-2025-64446) and OS command injection (CVE-2025-58034), also affect unsupported 6.x. Silent patching hampered defenders. Thoughts? #FortiWeb_vulnerabilidades_explotadas https://t.co/h16Bx0JYj0

    @CyberDailyPost

    2 Dec 2025

    50 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  13. Fortinet FortiWeb below 8.0.2 was affected by CVE-2025-64446, a critical auth-bypass flaw. Attackers can send crafted HTTP requests to gain admin access, potentially taking full control of the WAF. Update immediately and review admin activity. Read more: https://t.co/LIkdNi7Pjs

    @wazuh

    2 Dec 2025

    306 Impressions

    6 Retweets

    9 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  14. Actor exploiting CVE-2025-64446 (FortiWeb path traversal vulnerability) from AS 4847 🇨🇳 ( China Networks Inter-Exchange ) 0/95 Detections on VT 🟢 Link to event 👇 https://t.co/SXb8esRZFb

    @DefusedCyber

    2 Dec 2025

    1894 Impressions

    6 Retweets

    25 Likes

    5 Bookmarks

    1 Reply

    0 Quotes

  15. CVE-2025-64446: Fortinet FortiWeb Zero-Day Path Traversal Vulnerability Exploited in the Wild https://t.co/pUy95Y6eAI https://t.co/nthaJbK2gX

    @IT_Peurico

    28 Nov 2025

    41 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  16. Actively exploited CVE : CVE-2025-64446

    @transilienceai

    27 Nov 2025

    38 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

  17. 🛡️ FortiWeb just got stronger! Our latest WAF update bolsters protection against authentication bypass vulnerabilities (CVE-2025-64446) & enhances PHP Wrapper Injection detection. Improved coverage & blocking for your sites. 💪 https://t.co/UKpcTgYd1T

    @CFchangelog

    26 Nov 2025

    367 Impressions

    0 Retweets

    10 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  18. Warning: Two critical vulnerabilities in #Fortinet #Fortiweb are actively exploited. CVE-2025-58034 and CVE-2025-64446 can be chained together to achieve remote code execution. Check our updated advisories https://t.co/GboGlwR20Q & https://t.co/Bic3EKtppP #RCE! #Patch #Patch

    @CCBalert

    26 Nov 2025

    210 Impressions

    2 Retweets

    1 Like

    0 Bookmarks

    0 Replies

    0 Quotes

  19. 🚨 FortiWeb’s Silent Breach Window: A Deep Dive Into #CVE-2025-64446 and the Threat of Admin Impersonation https://t.co/wQNfS2GLjd

    @UndercodeNews

    25 Nov 2025

    25 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  20. Cloudflare has released new WAF rule addressing the following CVE to enhance customer protection. Fortinet FortiWeb - Auth Bypass (CVE-2025-64446) https://t.co/QfKGvYFDrg

    @Cloudforce_One

    24 Nov 2025

    1615 Impressions

    2 Retweets

    11 Likes

    1 Bookmark

    1 Reply

    0 Quotes

  21. A critical @Fortinet FortiWeb auth bypass (CVE-2025-64446) is being actively exploited, giving attackers control of vulnerable devices. @CISAgov has added it to the KEV with a Nov 21 deadline. Learn about the exploit, affected versions, & mitigation steps. https://t.co/rzxDwE

    @CyberPhilipR

    24 Nov 2025

    0 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  22. Actively exploited CVE : CVE-2025-64446

    @transilienceai

    24 Nov 2025

    39 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

  23. ❗Fortinet FortiWeb 제로데이(CVE-2025-64446) 실시간 악용 중 상대 경로 조작으로 관리자 인증 우회 → 장비 완전 장악이 가능한 제로데이가 10월 초부터 적극 악용되고 있습니다. Criminal IP 분석 기준 871개 FortiWeb 인스턴스

    @CriminalIP_KR

    24 Nov 2025

    79 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  24. ❗Fortinet FortiWebゼロデイ(CVE-2025-64446)、リアルタイムで悪用されています❗​ 相対パス操作によって管理者認証をバイパスし、機器を完全に掌握できるゼロデイが、10月上旬から積極的に悪用されています

    @CriminalIP_JP

    24 Nov 2025

    159 Impressions

    0 Retweets

    2 Likes

    1 Bookmark

    0 Replies

    0 Quotes

  25. 🚨 Fortinet FortiWeb Zero-Day (CVE-2025-64446) Actively Exploited 🚨​ A critical path-traversal authentication bypass flaw is being weaponized in the wild since early October, allowing attackers to skip admin auth and fully compromise vulnerable appliances.​ 🔎 871 C

    @CriminalIP_US

    24 Nov 2025

    189 Impressions

    0 Retweets

    1 Like

    2 Bookmarks

    0 Replies

    0 Quotes

  26. Alert: Metasploit releases exploit module for critical FortiWeb vulnerabilities (CVE-2025-64446 & CVE-2025-58034). Immediate patching to version 8.0.2+ is crucial. Link: https://t.co/Ek87OAERvg #Security #Exploit #Vulnerabilities #Cyber #Patch #Fortinet #Updates #Hacking http

    @dailytechonx

    23 Nov 2025

    15 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  27. 🚨 CVE-2025-64446 – FortiWeb Zero-Day Path Traversal RCE CVE-2025-64446 – FortiWeb Zero-Day Path Traversal RCE Fortinet's FortiWeb has a critical zero-day path traversal vulnerability allowing unauthenticated remote code execution. What's brutal: attackers exploit impro

    @the_c_protocol

    23 Nov 2025

    44 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  28. 🚨 New #Metasploit module just weaponized two FortiWeb 0-days — CVE-2025-64446 & CVE-2025-58034. Attackers can now go from no auth → full root RCE in seconds. Read More: https://t.co/DgOgJG3nAt #CyberSecurity #Fortinet #Canada #CanadaCyberAwareness https://t.co/oSTL

    @FindSecCyber

    23 Nov 2025

    53 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  29. When The Impersonation Function Gets Used To Impersonate Users (Fortinet FortiWeb Auth. Bypass CVE-2025-64446) https://t.co/qrN5yAvTpW

    @marktsec46065

    23 Nov 2025

    55 Impressions

    0 Retweets

    1 Like

    0 Bookmarks

    1 Reply

    0 Quotes

  30. MetasploitにFortiWebの例のゼロデイ脆弱性に対応するモジュールが追加された。CVE-2025-64446とCVE-2025-58034を連鎖させて遠隔コード実行を可能とするるもの。exploit/linux/http/fortinet_fortiweb_rce名義。 https://t.co/iQAM1txuQG

    @__kokumoto

    23 Nov 2025

    2474 Impressions

    2 Retweets

    37 Likes

    13 Bookmarks

    0 Replies

    0 Quotes

  31. 🚩 Fortinet Confirms Active Exploitation of Critical FortiWeb Vulnerability https://t.co/X17lv1a5vd CVE-2025-64446 (CVSS 9.1), a path traversal flaw in FortiWeb WAF, allows unauthenticated attackers to execute administrative commands and create admin accounts via crafted

    @Huntio

    22 Nov 2025

    980 Impressions

    4 Retweets

    7 Likes

    0 Bookmarks

    0 Replies

    1 Quote

  32. exploit module for Fortinet FortiWeb (CVE-2025-64446 + CVE-2025-58034) https://t.co/sunlFe4r1S

    @tdatwja

    22 Nov 2025

    189 Impressions

    0 Retweets

    2 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  33. 🧵 🚨 BREAKING: FortiWeb WAFs under ACTIVE zero-day attack Two critical vulns being exploited in the wild: • CVE-2025-58034 • CVE-2025-64446 (auth bypass) CISA says patch in 7 days. Here's what you need to know 👇 https://t.co/W0C6VVFLHa #CyberSecurity #ZeroDa https:/

    @nxtgen579255

    22 Nov 2025

    2 Impressions

    0 Retweets

    1 Like

    0 Bookmarks

    0 Replies

    0 Quotes

  34. Vulnérabilité dans Fortinet FortiWeb (14 novembre 2025) — Une vulnérabilité a été découverte dans Fortinet FortiWeb. Elle permet à un attaquant de provoquer un contournement de la politique de sécurité. Fortinet indique que la vulnérabilité CVE-2025-64446 est active

    @RotateKeys

    22 Nov 2025

    0 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  35. Actively exploited CVE : CVE-2025-64446

    @transilienceai

    22 Nov 2025

    20 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

  36. We now have a (draft) @metasploit exploit module for the recent Fortinet FortiWeb vulns, chaining CVE-2025-64446 (auth bypass) + CVE-2025-58034 (command injection) to achieve unauthenticated RCE with root privileges: https://t.co/Xh15JybxsC https://t.co/n7sMp6qCJU

    @stephenfewer

    21 Nov 2025

    12194 Impressions

    50 Retweets

    209 Likes

    69 Bookmarks

    2 Replies

    1 Quote

  37. 🚨 Fortinet FortiWeb Exploitation Alert 🚨 Threat actors are abusing a critical auth-bypass flaw (CVE-2025-64446) to gain admin access, create rogue accounts, alter configs & wipe logs. Check IoCs + mitigation steps in our full advisory 👇 📄 https://t.co/TN316Ffimo

    @sequretek_sqtk

    21 Nov 2025

    22 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  38. Actively exploited CVE : CVE-2025-64446

    @transilienceai

    21 Nov 2025

    30 Impressions

    0 Retweets

    0 Likes

    1 Bookmark

    1 Reply

    0 Quotes

  39. 🚨 A new FortiWeb vulnerability, CVE-2025-58034, has emerged just days after the previous Fortinet disclosure and is already being exploited in the wild. While medium in severity, early signals suggest it may be chained with CVE-2025-64446, though no official confirmation has h

    @censysio

    20 Nov 2025

    5409 Impressions

    15 Retweets

    58 Likes

    19 Bookmarks

    0 Replies

    2 Quotes

  40. 🚨 Fortinet FortiWeb Security Advisory [—] Nov 20, 2025 Comprehensive analysis of recent vulnerabilities affecting Fortinet FortiWeb Web Application Firewall, including CVE-2025-64446 and CVE-2025-58034. Checkout our Threat Intelligence Platform:... https://t.co/vX12nHWhJj

    @transilienceai

    20 Nov 2025

    36 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  41. 🚨Critical Fortinet FortiWeb Zero-Day (CVE-2025-64446) exploited in the wild! Remote command execution through path traversal attacks. No patch yet — lock down your FortiWeb devices NOW. Monitor updates! 🔗https://t.co/brvzTj2JO6 #Fortinet #Cybersecurity https://t.co/eaKg

    @rapidriskradar

    20 Nov 2025

    47 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  42. 🚨 CISA confirma explotación activa de una vulnerabilidad grave en Fortinet FortiWeb (CVE-2025-64446). Miles de sistemas están en riesgo y los atacantes ya están aprovechando esta falla para tomar control de dispositivos. ¿Estas protegido? ✅ ¡No lo ignores! https://t.co

    @M4nticonsuling

    19 Nov 2025

    28 Impressions

    0 Retweets

    1 Like

    0 Bookmarks

    0 Replies

    0 Quotes

  43. 🚨Upozorňujeme na aktivně zneužívanou zranitelnost ve Fortinet FortiWeb, CVE-2025-64446. Zranitelnost je způsobená záměnou/procházením cest v komponentě FortiWeb GUI. Útočníci mohou odesílat speciálně vytvořené požadavky HTTP/HTTPS POST na zmanipulované ces

    @GOVCERT_CZ

    19 Nov 2025

    365 Impressions

    2 Retweets

    3 Likes

    1 Bookmark

    0 Replies

    0 Quotes

  44. #AlertaDeSeguridad ⚠️ Se confirma la explotación activa de la vulnerabilidad CVE-2025-64446 en FortiWeb.🚫 Este fallo crítico permite a los atacantes eludir la autenticación y conseguir el control del WAF en versiones no actualizadas. Conoce el análisis #ColCERT 🔗 h

    @colCERT

    19 Nov 2025

    537 Impressions

    8 Retweets

    11 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  45. 포티넷, 포티웹 취약점 악용 심각…”전 세계 침해 정황 위험” CVE-2025-64446 긴급 경보…CISA, 미 연방기관에 1주일 내 패치 명령 https://t.co/SZLGc2allr

    @rokmc_sns

    18 Nov 2025

    28 Impressions

    1 Retweet

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  46. New #Tenable #Security Research Blog: CVE-2025-64446: #Fortinet FortiWeb Zero-Day Path Traversal Vulnerability Exploited in the Wild https://t.co/lgDBL6wHd3 https://t.co/X6X5ezQN7X

    @pcasano

    18 Nov 2025

    38 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  47. 🚨 A Critical Vulnerability exists in Fortinet FortiWeb (CVE-2025-64446). Please see the @ncsc_gov_ie advisory for more information: https://t.co/OVHLLW3YiS

    @ncsc_gov_ie

    18 Nov 2025

    275 Impressions

    0 Retweets

    2 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  48. A critical Fortinet FortiWeb vulnerability capable of remote code execution has been exploited in the wild. Fortinet on Nov. 14 disclosed CVE-2025-64446, a vulnerability in its Web application firewall (WAF) product FortiWeb. https://t.co/MlJIbIi9KH

    @Guardian360nl

    18 Nov 2025

    40 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

  49. 🚨 Alerta crítica en #FortiWeb (CVE-2025-64446, CVSS 9.1). Permite a atacantes NO autenticados evadir controles y comprometer el dispositivo completo. El BlueTeam de @CompuNet ya está apoyando en mitigación. 📩 soporte@compunetgroup.net #Ciberseguridad #Fortinet https://t.

    @CompunetChile

    18 Nov 2025

    6 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  50. ⚠️FortiWeb CVE-2025-64446 post-exploit activity An actor seen exploiting the vulnerability is now actively fetching a path for retrieving backup configs These backups can contain credentials / secrets - this may be a persistence mechanism. 38.60.203.31 🇭🇰 (Kaopu Cl

    @DefusedCyber

    18 Nov 2025

    11082 Impressions

    17 Retweets

    59 Likes

    24 Bookmarks

    3 Replies

    1 Quote

Configurations

References

Sources include official advisories and independent security research.