External risk intelligence

FortiWeb Path Traversal Leading to Command Execution

CVE advisoryKnown Exploit

CVE-2025-64446

A relative path traversal vulnerability in Fortinet FortiWeb may allow an attacker to execute administrative commands by sending crafted web requests. This impacts organizations using affected FortiWeb versions, posing a risk of unauthorized system control.

5Halo Surface Signal

Path Traversal

Fortinet Fortiweb

7.0.0 to before 7.0.127.2.0 to before 7.2.127.4.0 to before 7.4.107.6.0 to before 7.6.58.0.0 to before 8.0.2

External exposure likelihood

Halo Surface Signal score for CVE-2025-64446

FortiWeb is a Web Application Firewall designed to be deployed at the internet edge to inspect and filter public-facing web traffic. As a gateway appliance intended to protect public services, its management and operational interfaces are frequently exposed or situated directly in the path of internet traffic by design.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Horizon Alert

Summary of the vulnerability and why it matters

A vulnerability in Fortinet FortiWeb web application firewalls could allow an attacker to execute administrative commands. This flaw exists in how the system handles certain web requests, potentially enabling unauthorized access to system functions. The impact could lead to unauthorized control over the affected firewall appliance.

  • Vulnerable Fortinet FortiWeb appliance
  • Relative path traversal flaw
  • Unauthorized administrative command execution

Attack Path

How an attacker could exploit the issue

A relative path traversal vulnerability exists in Fortinet FortiWeb, potentially allowing an attacker to execute administrative commands. This occurs when an attacker sends specially crafted HTTP or HTTPS requests. The vulnerability impacts organizations using affected versions of FortiWeb.

  • Network exposure needed.
  • Attacker sends crafted requests.
  • Control of administrative commands.

Live Threat

Current exploitation, exposure, and threat context

A critical vulnerability exists in Fortinet FortiWeb products, potentially allowing attackers to execute administrative commands. This threat is amplified as FortiWeb is often deployed at the internet edge to protect public-facing web traffic. The vulnerability can be exploited through crafted HTTP or HTTPS requests, posing a significant risk to organizations utilizing affected versions of the product.

  • Attackers with basic skills.
  • No authentication or special access needed.
  • High business risk, treat as urgent.

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

A critical vulnerability has been identified in Fortinet FortiWeb that could allow an attacker to execute administrative commands. This poses a significant risk to organizations utilizing the affected product, potentially leading to unauthorized system control and data compromise. The vulnerability is accessible over the network and does not require user interaction.

  • Identify exposed FortiWeb assets.
  • Isolate affected systems from the network.
  • Apply vendor updates and verify.
  • Monitor for suspicious activity.

Frequently asked questions

What is a relative path traversal vulnerability in Fortinet FortiWeb?

A relative path traversal vulnerability in Fortinet FortiWeb allows an attacker to execute administrative commands by sending specially crafted HTTP or HTTPS requests. This weakness, classified as CWE-23, impacts specific versions of FortiWeb, including 8.0.0-8.0.1, 7.6.0-7.6.4, 7.4.0-7.4.9, 7.2.0-7.2.11, and 7.0.0-7.0.11.

How does the FortiWeb vulnerability allow command execution?

The vulnerability, a relative path traversal (CWE-23), enables an attacker to execute administrative commands by manipulating HTTP or HTTPS requests. The exploit does not require authentication or special privileges, making it accessible to attackers with basic skills.

What is the scope of the FortiWeb vulnerability?

The scope of this vulnerability is system-wide, potentially allowing an attacker to execute administrative commands on the affected Fortinet FortiWeb appliance. This could lead to unauthorized control over the firewall and potential data compromise. The exposure is classified as external, as it can be exploited over the network.

How relevant is the FortiWeb command execution vulnerability?

This vulnerability is highly relevant and considered critical due to Fortinet FortiWeb's typical deployment at the internet edge to protect public-facing web traffic. Its external exposure and ability to be exploited without authentication or user interaction, as detailed by the Halo Surface Signal, designate it as a very likely threat requiring urgent attention.

What steps should be taken to respond to the FortiWeb vulnerability?

To address the FortiWeb vulnerability, organizations should identify exposed FortiWeb assets, isolate affected systems from the network if possible, and promptly apply vendor updates. Monitoring for suspicious activity is also crucial. Affected versions include 8.0.0 through 8.0.1, 7.6.0 through 7.6.4, 7.4.0 through 7.4.9, 7.2.0 through 7.2.11, and 7.0.0 through 7.0.11.

References

Sources and related resources

Primary sources: NVD, CVE.org, CISA KEV.

NVDPublished Modified