Skip to main content
Customer Support Customer Support

Alert Fortinet Releases Security Advisory for Relative Path Traversal Vulnerability Affecting FortiWeb Products Release Date November 14, 2025

  • November 15, 2025
  • 0 replies
  • 9 views
TripleHelix
Moderator
Forum|alt.badge.img+63

CISA is aware of exploitation of a newly disclosed vulnerability, CVE-2025-64446

in Fortinet FortiWeb, a web application firewall. This vulnerability affects the following FortiWeb versions:1

  • 8.0.0 through 8.0.1
  • 7.6.0 through 7.6.4
  • 7.4.0 through 7.4.9
  • 7.2.0 through 7.2.11
  • 7.0.0 through 7.0.11

CVE-2025-64446 is a relative path traversal vulnerability CWE-23: Relative Path Traversal

that may allow an unauthenticated malicious actor to execute administrative commands on a system via specially crafted HTTP or HTTPS requests. 

Fortinet recommends affected organizations:

  • Version Affected Solution
    FortiWeb 8.0 8.0.0 through 8.0.1 Upgrade to 8.0.2 or above
    FortiWeb 7.6 7.6.0 through 7.6.4 Upgrade to 7.6.5 or above
    FortiWeb 7.4 7.4.0 through 7.4.9 Upgrade to 7.4.10 or above
    FortiWeb 7.2 7.2.0 through 7.2.11 Upgrade to 7.2.12 or above
    FortiWeb 7.0 7.0.0 through 7.0.11 Upgrade to 7.0.12 or above
  • If you cannot immediately upgrade the affected systems, disable HTTP or HTTPS for internet-facing interfaces. Note: Limiting access to HTTP/HTTPS management interfaces to internal networks is a best practice that reduces, but does not eliminate, risk; upgrading the affected systems remains essential and is the only way to fully remediate this vulnerability.
  • After upgrading, review configuration and review logs for unexpected modifications or the addition of unauthorized administrator accounts.

CISA added CVE-2025-64446 to its Known Exploited Vulnerabilities (KEV) Catalog on Nov. 14, 2025.

Disclaimer

Note: This Alert may be updated to reflect new guidance issued by CISA or other parties. 

Organizations should report incidents and anomalous activity to CISA’s 24/7 Operations Center at contact@cisa.dhs.gov

or (888) 282-0870.   

The information in this report is being provided “as is” for informational purposes only. CISA does not endorse any commercial entity, product, company, or service, including any entities, products, or services linked within this document. Any reference to specific commercial entities, products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply endorsement, recommendation, or favoring by CISA

Notes

1 FortiGuard Labs, Path confusion vulnerability in GUI (November 14, 2025), https://fortiguard.fortinet.com/psirt/FG-IR-25-910

 

https://www.cisa.gov/news-events/alerts/2025/11/14/fortinet-releases-security-advisory-relative-path-traversal-vulnerability-affecting-fortiweb

Daniel - Microsoft MVP Consumer Security (2012-2016) Windows 10 Pro x64 for Workstations 22H2 on my Alienware 17R2 and Windows 11 Pro x64 for Workstations on my Alienware 17R5 Laptops with Webroot SecureAnywhere Complete Beta Tester for PC & Android Samsung Galaxy A16 5G OS 16.
ProTruckDriver
Jasper_The_Rasper
TripleHelix

Terms & ConditionsAccessibility statement