Updated:
Status:
CVEs:
FortiWeb contains a relative path traversal vulnerability that could allow an unauthenticated attacker to send crafted HTTP or HTTPS requests that would execute administrative commands.
Who is affected?
CVE-2025-64446 impacts the following versions of FortiWeb:
- FortiWeb 8.0.0 through 8.0.1
- FortiWeb 7.6.0 through 7.6.4
- FortiWeb 7.4.0 through 7.4.9
- FortiWeb 7.2.0 through 7.2.11
- FortiWeb 7.0.0 through 7.0.11
What can I do?
Customers should disable HTTP and HTTPS on internet-facing interfaces until an upgrade can be applied, then install the latest version of this product as soon as possible.
The vendor has released the following updates to resolve this vulnerability:
| Affected Versions | Fixed Releases (Upgrade to these versions) |
|---|---|
| FortiWeb 8.0 | 8.0.2 or above |
| FortiWeb 7.6 | 7.6.5 or above |
| FortiWeb 7.4 | 7.4.10 or above |
| FortiWeb 7.2 | 7.2.12 or above |
| FortiWeb 7.0 | 7.0.12 or above |
Additional information can be found at:
- Vendor Advisory: PSIRT - FortiGuard Labs
How is Fortra helping me?
Fortra is actively researching this threat to build detection capabilities in addition to those listed below:
- FusionVM: Alert Logic added mappings for authenticated scan on November 18, 2025, for FortiWeb.
- FusionVM: Alert Logic released a new unauthenticated network check for CVE-2025-64446 on November 19, 2025.
Updates
Fortra has kicked off the Emerging Threats process for this vulnerability. This article will be updated with new information about this vulnerability and related security coverage as it becomes available.
11/18/2025: Alert Logic released mappings for authenticated network scan detection for FortiWeb.
11/19/2025: Alert Logic added a new unauthenticated network check for FortiWeb.
