Summary
| Vulnerability Name | Path Traversal in FortiWeb (CVE-2025-64446) |
| Released on | November 17, 2025 |
| Affected Component | FortiWeb |
| Affected Version |
8.0.0 ≤ FortiWeb ≤ 8.0.1
7.6.0 ≤ FortiWeb ≤ 7.6.4
7.4.0 ≤ FortiWeb ≤ 7.4.9
7.2.0 ≤ FortiWeb ≤ 7.2.11
7.0.0 ≤ FortiWeb ≤ 7.0.11
|
| Vulnerability Type | Path traversal |
| Exploitation Condition |
1. User authentication: not required.
2. Precondition: default configurations.
3. Trigger mode: remote.
|
| Impact | Exploitation difficulty: easy. Attackers can exploit this vulnerability to perform path traversal without authorization. Severity: critical. This vulnerability can result in path traversal. |
| Official Solution | Available |
About the Vulnerability
Component Introduction
FortiWeb is a web application firewall (WAF) that can protect its hosted web applications from attacks.
Vulnerability Description
On November 17, 2025, Sangfor FarSight Labs received notification of the path traversal vulnerability in FortiWeb (CVE-2025-64446), classified as critical in threat level.
Specifically, FortiWeb contains a path traversal vulnerability due to inadequate access control in some common gateway interfaces (CGIs). Unauthenticated attackers can craft specific HTTP/HTTPS requests to achieve path traversal, without the need to modify HTTP headers. Through this vulnerability, attackers can execute arbitrary administrative commands, such as creating backdoor accounts and manipulating device configurations, to fully control the victim devices. Consequently, critical data leaks and service interruptions may occur. It has been reported that this vulnerability was exploited in the wild.
Affected Versions
The following FortiWeb versions are affected:
8.0.0 ≤ FortiWeb ≤ 8.0.1
7.6.0 ≤ FortiWeb ≤ 7.6.4
7.4.0 ≤ FortiWeb ≤ 7.4.9
7.2.0 ≤ FortiWeb ≤ 7.2.11
7.0.0 ≤ FortiWeb ≤ 7.0.11
Solutions
Remediation Solutions
Official Solution
The latest version has been officially released to fix the vulnerability. Affected users are advised to update FortiWeb to the latest version.
Temporary Solutions
- Disable unused functional modules to reduce attack entry points.
- Follow the principle of least privilege to strictly control the scope of permissions for sensitive operations.
- Do not expose services to the Internet unless necessary, to limit the access sources to trusted ranges.
- Regularly update the system and components to secure versions, to ensure that known vulnerabilities can be patched at the earliest opportunity.
Sangfor Solutions
Proactive Vulnerability Detection
The following Sangfor services can proactively detect CVE-2025-64446 vulnerabilities and quickly identify vulnerability risks in batches in business scenarios:
- Athena Managed Detection and Response (MDR): The corresponding detection solution will be released on December 30, 2025. The rule ID is SF-2025-01467.
- Athena Extended Detection and Response (XDR): The corresponding detection solution will be released on November 22, 2025. The rule ID is SF-2025-02114.
Vulnerability Monitoring
The following Sangfor services support CVE-2025-64446 vulnerability monitoring, and can quickly identify affected assets and the impact scope in business scenarios in real time through traffic collection:
- Athena Network Detection and Response (NDR): The corresponding monitoring solution will be released on November 24, 2025. The rule ID is 11029944.
- Athena MDR: The corresponding monitoring solution will be released on November 24, 2025. The rule ID is 11029944. In this case, make sure that Athena MDR is integrated with Athena NDR.
- Athena XDR: The corresponding monitoring solution will be released on November 24, 2025. The rule ID is 11029944.
- Sangfor Traffic Monitoring GPT: Sangfor Traffic Monitoring GPT can detect attacks and threats targeting this vulnerability based on its understanding of attacks and code, without the need to configure rules.
Vulnerability Prevention
The following Sangfor services can effectively block CVE-2025-64446 exploits:
- Athena Next-Generation Firewall (NGFW): The corresponding prevention solution will be released on November 24, 2025. The rule ID is 11029944.
- Sangfor Web Application Firewall (WAF): The corresponding prevention solution will be released on November 24, 2025. The rule ID is 11029944.
- Athena MDR: The corresponding prevention solution will be released on November 24, 2025. The rule ID is 11029944. In this case, make sure that Athena MDR is integrated with Athena NGFW.
- Athena XDR: The corresponding prevention solution will be released on November 24, 2025. The rule ID is 11029944. In this case, make sure that Athena XDR is integrated with Athena NGFW.
Timeline
On November 17, 2025, Sangfor FarSight Labs received notification of the path traversal vulnerability in FortiWeb (CVE-2025-64446).
On November 17, 2025, Sangfor FarSight Labs released a vulnerability alert.
Reference
https://fortiguard.fortinet.com/psirt/FG-IR-25-910
Learn More
Sangfor FarSight Labs researches the latest cyber threats and unknown zero-day vulnerabilities, alerting customers to potential dangers to their organizations, and providing real-time solutions with actionable intelligence. Sangfor FarSight Labs works with other security vendors and the security community at large to identify and verify global cyber threats, providing fast and easy protection for customers.
