Relative Path Traversal Vulnerability in Fortinet FortiWeb Products
CVE-2025-64446

9.1CRITICAL

Key Information:

Vendor

Fortinet
Status
Fortiweb
Vendor
CVE Published:
14 November 2025

Badges

👾 Exploit Exists📰 News Worthy

What is CVE-2025-64446?

A relative path traversal vulnerability exists in Fortinet FortiWeb products versions 8.0.0 to 8.0.1, 7.6.0 to 7.6.4, 7.4.0 to 7.4.9, 7.2.0 to 7.2.11, and 7.0.0 to 7.0.11. This vulnerability allows an attacker to potentially execute unauthorized administrative commands on the system by sending specially crafted HTTP or HTTPS requests, which may lead to severe security risks.

Affected Version(s)

FortiWeb 8.0.0 <= 8.0.1

FortiWeb 7.6.0 <= 7.6.4

FortiWeb 7.4.0 <= 7.4.9

News Articles

favicon imageBleepingComputer

Fortinet confirms silent patch for FortiWeb zero-day exploited in attacks

Fortinet has silently patched a critical zero-day vulnerability in its FortiWeb web application firewall, which is now being widely exploited.

3 hours ago

References

https://fortiguard.fortinet.com/psirt/FG-IR-25-910

CVSS V3.1

Score:
9.1
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • 👾

    Exploit known to exist

  • 📰

    First article discovered by BleepingComputer

  • Vulnerability published

  • Vulnerability Reserved

JSON
.
CVE-2025-64446 : Relative Path Traversal Vulnerability in Fortinet FortiWeb Products