NAVANEM
CVE-2025-64446⚡ exploited in the wild

Fortinet FortiWeb, relative path traversal authentication bypass to admin RCE

A relative path traversal in Fortinet FortiWeb allows an unauthenticated remote attacker to execute administrative commands via crafted HTTP/HTTPS requests. By traversing to a privileged internal endpoint, attackers can create new administrator accounts and take full control of the WAF appliance. Fortinet observed exploitation in the wild.

Overview

CVE-2025-64446 is a critical relative path traversal in Fortinet FortiWeb, Fortinet's web application firewall. An unauthenticated remote attacker can craft HTTP/HTTPS requests that traverse to a privileged internal CGI endpoint and execute administrative commands, including creating new administrator accounts. Because FortiWeb is itself a security appliance frequently exposed to the internet, exploitation hands attackers control of the very device meant to protect web apps. Fortinet confirmed in-the-wild exploitation, and CISA added it to the KEV catalog.

Technical Details

The flaw lets a request escape its intended path and reach an internal management interface (a CGI handler) without authentication. Observed exploitation sends a POST to a traversal path that invokes the appliance's own administrative API, creating a local admin account the attacker then uses to log in legitimately. The bug was quietly fixed in FortiWeb 8.0.2 before a CVE was assigned, and public exploitation accelerated once the silent patch and PoCs surfaced.

Impact

  • Unauthenticated administrative takeover of the FortiWeb appliance.
  • Persistent rogue admin accounts that survive until manually removed.
  • WAF subversion: attackers can disable protections, inspect traffic, or pivot to protected applications.
  • Internet exposure of FortiWeb management interfaces made mass exploitation feasible.

Mitigation

  1. Upgrade immediately to FortiWeb 8.0.2, 7.6.5, 7.4.10, 7.2.12, or 7.0.12 (or later) per FG-IR-25-910.
  2. Disable HTTP/HTTPS administrative access on internet-facing interfaces; restrict management to trusted networks.
  3. Audit administrator accounts and delete any that were not created by your team.
  4. Review configuration changes and policy modifications made before patching.

Detection

  • Look for unexpected new local admin accounts and POST requests to traversal paths reaching internal CGI endpoints.
  • Review FortiWeb event logs for admin-account creation and configuration changes from unknown source IPs.
  • Correlate with CISA KEV (added November 14, 2025) indicators.

references

#cve-2025-64446#fortinet#fortiweb#web-application-firewall#authentication-bypass#path-traversal#remote-code-execution#cwe-23#actively-exploited#cisa-kev#critical-vulnerability

Related topics

CVE
CVE

Fortinet FortiWeb, unauthenticated SQL injection leading to remote code execution

Jul 17, 2025
CVE
CVE

Fortinet multiple products, authentication bypass via FortiCloud SSO (alternate-channel)

Jan 27, 2026
CVE
CVE

Oracle E-Business Suite, unauthenticated remote code execution (Cl0p EBS campaign)

Oct 5, 2025
CVE
CVE

Fortinet FortiVoice and multiple products, unauthenticated stack-based buffer overflow remote code execution

May 13, 2025
CVE
CVE

Palo Alto Networks PAN-OS, GlobalProtect authentication bypass

May 13, 2026
CVE
CVE

Fortinet FortiClient EMS, unauthenticated SQL injection

Feb 6, 2026
CVE
CVE

BeyondTrust Remote Support / Privileged Remote Access, pre-authentication OS command injection RCE

Feb 6, 2026
CVE
CVE

F5 BIG-IP APM, unauthenticated remote code execution via crafted access-policy traffic

Oct 15, 2025
CVE
CVE

Microsoft Windows Server Update Services (WSUS), deserialization RCE

Oct 14, 2025
CVE
CVE

Cisco Secure Firewall ASA & FTD, VPN web server buffer overflow RCE (ArcaneDoor)

Sep 25, 2025