Updated:
Status:
CVEs:
FortiWeb contains a relative path traversal vulnerability that could allow an unauthenticated attacker to send crafted HTTP or HTTPS requests that would execute administrative commands.
Who is affected?
CVE-2025-64446 impacts the following versions of FortiWeb:
- FortiWeb 8.0.0 through 8.0.1
- FortiWeb 7.6.0 through 7.6.4
- FortiWeb 7.4.0 through 7.4.9
- FortiWeb 7.2.0 through 7.2.11
- FortiWeb 7.0.0 through 7.0.11
What can I do?
Customers should disable HTTP and HTTPS on internet-facing interfaces until an upgrade can be applied, then install the latest version of this product as soon as possible.
The vendor has released the following updates to resolve this vulnerability:
| Affected Versions | Fixed Releases (Upgrade to these versions) |
|---|---|
| FortiWeb 8.0 | 8.0.2 or above |
| FortiWeb 7.6 | 7.6.5 or above |
| FortiWeb 7.4 | 7.4.10 or above |
| FortiWeb 7.2 | 7.2.12 or above |
| FortiWeb 7.0 | 7.0.12 or above |
Additional information can be found at:
- Vendor Advisory: PSIRT - FortiGuard Labs
How is Fortra helping me?
Fortra is actively researching this threat to build detection capabilities in addition to those listed below:
- IDS: On November 14, 2025, Alert Logic deployed an IDS signature to detect CVE-2025-64446 FortiWeb File Traversal/Authentication Bypass.
- Fusion VM: Alert Logic added mappings for authenticated scan on November 18, 2025, for FortiWeb.
- Fusion VM: Alert Logic released a new unauthenticated network check for CVE-2025-64446 on November 19, 2025.
- Tripwire IP360: Tripwire released remote scan coverage on November 20, 2025, to identify vulnerable instances. The following table identifies matching vulnerabilities.
- FortraVM: On December 1, 2025, Alert Logic released mappings for unauthenticated scan detection in FortraVM 4.78.0.
| CVE | Tripwire IP360 Vulnerability |
|---|---|
| CVE-2025-64446 | 776839 |
- Core Impact: On January 5, Core Impact released this exploit for customers. The exploit targets a relative path traversal vulnerability in Fortinet FortiWeb, allowing attackers to bypass authentication and create a new administrative user (prof_admin) on the target system. The module first checks whether the target is vulnerable by testing the path traversal against a specific endpoint with an empty payload. If it detects the vulnerability, the module uses it to create a new administrative user (prof_admin) on the target system with the provided credentials. If you do not provide credentials, the module generates a random one.
Updates
Fortra has kicked off the Emerging Threats process for this vulnerability. This article will be updated with new information about this vulnerability and related security coverage as it becomes available.
- 01/05/2025: Core Impact released an exploit that uses a path traversal vulnerability in Fortinet FortiWeb to bypass authentication and create a new admin user (prof_admin) on the target system.
- 11/14/2025: Alert Logic deployed an IDS signature to detect CVE-2025-64446.
- 11/18/2025: Alert Logic released mappings for authenticated network scan detection for FortiWeb.
- 11/19/2025: Alert Logic added a new unauthenticated network check for FortiWeb.
- 11/20/2025: Tripwire released remote scan coverage to identify vulnerable instances of CVE-2025-64446.
- 12/01/2025: Alert Logic released FortraVM mappings for unauthenticated scan detection.
