On November 14, 2025, Fortinet PSIRT published advisory FG-IR-25-910 disclosing CVE-2025-64446, a critical relative-path-traversal vulnerability in FortiWeb that can be chained with an unauthenticated request to achieve remote code execution. CISA issued an advisory the same day confirming the vulnerability had been exploited in targeted attacks since at least October 2025 and added it to the Known Exploited Vulnerabilities catalog. The CVSS v3.1 base score is 9.1 (vector AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H). FortiWeb is Fortinet's web application firewall — the very product organizations deploy to protect their internal applications from path-traversal and RCE bugs — making this advisory an especially uncomfortable patching event because the WAF cannot rule-set its way out of its own vulnerability.
What does the vendor advisory say?
FG-IR-25-910 describes CVE-2025-64446 as a relative-path-traversal weakness in the FortiWeb management web interface. An unauthenticated remote attacker can issue a crafted HTTP request that traverses outside the intended directory and accesses internal management endpoints, which in turn execute commands with root privileges on the FortiWeb appliance. Fortinet's advisory text is unusually direct: "Fortinet has observed this vulnerability being exploited in the wild in targeted attacks. Apply the patch immediately." The vendor states there is no effective workaround that fully eliminates the trigger; restricting access to the management interface to trusted IP ranges via interface ACLs reduces exposure but does not close the bug for organizations that must allow administrative access from broad source networks (e.g., MSSPs managing customer FortiWeb fleets).
Which versions are affected and which are patched?
FG-IR-25-910 lists the following affected and fixed FortiWeb trains:
- FortiWeb 8.0 — affected versions 8.0.0 through 8.0.1; fixed in 8.0.2
- FortiWeb 7.6 — affected versions 7.6.0 through 7.6.4; fixed in 7.6.5
- FortiWeb 7.4 — affected versions 7.4.0 through 7.4.9; fixed in 7.4.10
- FortiWeb 7.2 — affected versions 7.2.0 through 7.2.11; fixed in 7.2.12
- FortiWeb 7.0 — affected versions 7.0.0 through 7.0.11; fixed in 7.0.12
FortiWeb 6.x and earlier reached end-of-support before this advisory; Fortinet's guidance is to migrate to 7.2.12 minimum. Verify the running version through the FortiWeb GUI under System > Dashboard > Status or via CLI: get system status and check the Version field. For organizations running FortiWeb-VM in cloud environments (AWS, Azure, GCP marketplace), the fixed AMI/image IDs are published in the same advisory and require a new instance launch or in-place upgrade through the FortiWeb VM provisioning workflow.
Is it in CISA KEV and what is the EPSS score?
CISA added CVE-2025-64446 to KEV on November 14, 2025, the same day as the Fortinet advisory, with a remediation deadline of November 21, 2025 — a seven-day window reflecting both confirmed in-the-wild exploitation and the high blast radius of WAF compromise. EPSS at disclosure was 0.38 (unusually high because the exploitation predates disclosure by approximately one month), climbing to 0.76 over the following two weeks as more red-team tooling integrated triggers. CISA's accompanying alert urged operators to "assume any internet-reachable FortiWeb appliance has been compromised and conduct forensic triage in addition to patching." For federal civilian executive branch agencies, the November 21 deadline was non-negotiable; commercial enterprises should follow the same SLA given the WAF's privileged position in the traffic path.
How do you find vulnerable instances in your SBOM?
FortiWeb appliances expose their version through the FortiOS management REST API as well as via SNMP and the CLI. For SBOM-driven inventories, ingest the /api/v2/cmdb/system/status endpoint into the asset graph nightly. Safeguard saved query:
# Identify every FortiWeb appliance still on a pre-fix build
safeguard scan --cve CVE-2025-64446 --product fortiweb
# Filter to FortiWeb devices with the management interface internet-exposed
safeguard assets list \
--filter "vendor=fortinet AND product=fortiweb AND mgmt-exposure=internet" \
--include-cve CVE-2025-64446
For shops without firmware SBOMs, the cheapest enumeration is a scripted REST call per management IP, parsed and compared against the fixed-build matrix. FortiManager users can query the central management console for the FortiWeb device inventory across the entire estate via execute device list. The Fortinet Fabric Connector also exposes the device version through the FortiAnalyzer dashboard, which security teams that already operate Fortinet's logging stack can leverage without additional inventory work.
What is the recommended patch rollout?
Fortinet's recommended sequence:
- Snapshot the FortiWeb configuration via
execute backup full-configto a TFTP/SCP destination. - Snapshot the underlying VM (for FortiWeb-VM deployments) or note the active HA partner for hardware appliances.
- Download the fixed firmware image from
support.fortinet.com. - For HA pairs, upgrade the secondary unit first via
execute restore image management-station <fwimage>; the unit reboots into the new firmware and rejoins the cluster as secondary. - Force failover with
execute ha manage 0 adminanddiagnose sys ha takeoverfrom the secondary, then upgrade the new secondary (former primary). - Verify both units with
get system statusand confirm cluster health withget system ha status. - Reset all administrator credentials (advisory directive) and rotate any service-account or API tokens stored on the appliance.
- Audit the management interface access log (
execute log filter category eventthenexecute log display) for anomalous administrative actions during the exposure window — Fortinet recommends triage covering at least October 1, 2025 through the patch date.
For standalone FortiWeb-VM in cloud environments, the fastest path is to provision a new instance from the fixed AMI/image, restore configuration from the snapshot, swap traffic to the new instance, and decommission the old one. This blue/green approach also ensures any post-exploitation persistence on the old instance is cleanly destroyed.
Compensating controls while patching: restrict management interface access to a small set of administrator source IPs via the GUI System > Network > Interfaces > management > Trusted Hosts setting. Disable the GUI on the data-plane interface entirely if business need permits and rely on out-of-band management. Neither closes the vulnerability, but both shrink the attack surface during the rollout window. Threat-feed-driven WAF rules sometimes claim to block the exploit; treat those claims as defense-in-depth, not as a substitute for the firmware upgrade.
What detections does the vendor or CISA publish?
Fortinet published FortiGuard IPS signatures FortiWeb.Mgmt.Path.Traversal and FortiWeb.Mgmt.Cmd.Injection covering the request patterns observed in the wild. CISA AA25-318A includes a Sigma detection for the access pattern visible in FortiWeb HTTP access logs, which defenders should import directly:
# Source: CISA AA25-318A FortiWeb exploitation, 2025-11-14
title: FortiWeb Management Interface Suspicious Path Traversal
status: stable
logsource:
product: fortinet
service: fortiweb-mgmt
detection:
selection:
request_uri|contains:
- '../'
- '..%2F'
- '..%252F'
- '/system/'
- '/cgi-bin/'
request_method:
- 'GET'
- 'POST'
filter_legit_admin:
src_ip|in_subnet:
- '10.0.10.0/24'
- '10.0.20.0/24'
condition: selection AND NOT filter_legit_admin
fields:
- src_ip
- request_uri
- response_code
- response_size
- user_agent
level: high
The CISA advisory also publishes a YARA rule pack for the post-exploitation web shells observed in October-November 2025 victim telemetry, including indicators that persist across firmware upgrades by writing to the config-backup partition. Forensic responders should compare config-backup hashes pre- and post-incident.
How Safeguard Helps
Safeguard ingests Fortinet device manifests from every FortiWeb appliance registered through the SCM/network-asset integration, parsing version, HA cluster state, and management-interface accessibility into a normalized SBOM. The default policy gate fails any change-management ticket promoting a FortiWeb image below the fixed-build table for CVE-2025-64446, and a built-in compliance check verifies that the management interface is configured with trusted-hosts even on patched builds — closing the defense-in-depth gap that exploitation campaigns frequently target after a CVE matures. Griffin AI scores FortiWeb appliances by management exposure (internet, partner-VPN, internal-only), HA configuration, and the count of protected applications behind the WAF, surfacing the highest-blast-radius devices first. VEX statements from Fortinet PSIRT are auto-ingested for devices whose management interface is bound to an out-of-band network and unreachable from the data path, suppressing dashboard noise. The ServiceNow connector files a per-HA-pair change ticket with the fixed firmware hash, the CISA KEV deadline copied into the SLA field, the credential-rotation checklist attached as evidence, and the post-patch forensic triage runbook linked — closing the loop between SBOM detection and verified WAF restoration.