CVE-2025-64446

What is Fortinet FortiWeb?

Fortinet FortiWeb is a Web Application Firewall (WAF) appliance used by enterprises and government agencies to protect web applications from attacks. As a security gateway positioned in front of web applications, FortiWeb inspects HTTP/HTTPS traffic, blocks malicious requests, and enforces security policies. Ironically, FortiWeb appliances themselves are attractive targets: they sit at the network perimeter, are publicly internet-facing by design, carry administrative credentials, and their compromise can give attackers visibility into the protected web application traffic while also removing a key security layer.

Overview

CVE-2025-64446 is a critical relative path traversal vulnerability (CWE-23) in Fortinet FortiWeb's GUI API handler. An unauthenticated remote attacker sends a crafted HTTP or HTTPS request containing path traversal sequences that bypass the intended API routing, reaching privileged administrative endpoints without authentication. Successful exploitation allows execution of arbitrary OS-level administrative commands. Fortinet confirmed this was a zero-day — actively exploited in the wild before the advisory was published. Mass exploitation activity was observed as early as July 2025, approximately four months before the patch. CISA issued a rare 7-day remediation deadline (normally 3 weeks), reflecting the severity and ongoing exploitation.

Affected Versions

Technical Details

The vulnerability (CWE-23: Relative Path Traversal) is in FortiWeb's GUI API HTTP request routing. The API handler fails to properly validate or sanitize URL path components before resolving the endpoint. By inserting path traversal sequences (e.g., /../) into the request URL, an attacker can break out of the intended /api/v2.0/ routing context and reach privileged administrative API endpoints that should require authentication.

Once an unauthorized attacker reaches the administrative API, they can execute OS-level admin commands on the FortiWeb appliance — effectively gaining full control of the device. In observed exploitation, attackers created rogue administrator accounts (with names such as "Testpoint," "trader," and "trader1" and easily-guessable passwords) to establish persistent access for subsequent operations.

Discovery

Discovered by Defused Cyber. Bishop Fox and Watchtowr Labs published independent technical analyses.

Exploitation Context

Fortinet confirmed active in-the-wild exploitation before the advisory was published — a zero-day. CERT Orange Cyberdefense reported mass exploitation observed as early as July 2025, approximately four months before the patch was available. Observed post-exploitation behavior: creation of rogue administrator accounts to maintain persistent access, and lateral movement into protected web application environments. CISA issued a 7-day federal remediation deadline (vs. the standard 3 weeks), underscoring the severity. No specific threat actor group has been publicly attributed, but the early and sustained exploitation suggests organized, sophisticated attackers.

Remediation

1. Upgrade FortiWeb immediately to the fixed version for your branch: 7.0.12+, 7.2.12+, 7.4.10+, 7.6.5+, or 8.0.2+.
2. Check for rogue admin accounts immediately: log in to the FortiWeb admin console and review all administrator accounts. Remove any unauthorized accounts (particularly those named "Testpoint," "trader," or similar).
3. Review audit logs for unauthorized API calls, particularly requests to administrative endpoints not matching expected management traffic patterns.
4. Restrict management interface access — FortiWeb's admin GUI and API should never be internet-accessible. Apply firewall rules to limit HTTPS management access to trusted administrative IP ranges only.
5. Rotate all FortiWeb admin credentials — if exploitation is suspected, change all administrator passwords and API keys.
6. Audit protected applications — if FortiWeb was compromised, the attacker had visibility into all proxied web application traffic; review downstream applications for signs of breach.