Executive Summary

Fortinet has confirmed and patched a critical zero-day vulnerability in its FortiWeb web application firewall (WAF) that is being actively exploited in the wild. The vulnerability, tracked as CVE-2025-64446, is a path traversal flaw that can be exploited by an unauthenticated, remote attacker to achieve arbitrary command execution with administrative privileges. The severity of this flaw, combined with its active exploitation, prompted the Cybersecurity and Infrastructure Security Agency (CISA) to add it to its Known Exploited Vulnerabilities (KEV) catalog. Organizations using affected FortiWeb versions are urged to apply the security updates immediately to mitigate this significant threat.

Vulnerability Details

• CVE-2025-64446 - FortiWeb Relative Path Traversal Vulnerability (KEV)
  • Severity: Critical
  • Description: This is a relative path traversal vulnerability that allows an unauthenticated attacker to bypass security controls by sending a specially crafted HTTP or HTTPS request to a vulnerable FortiWeb device.
  • Impact: Successful exploitation allows the attacker to execute arbitrary commands on the underlying operating system with the privileges of the WAF, which are typically administrative. This effectively gives an attacker full control over a critical security appliance, allowing them to disable protections, pivot into the internal network, or intercept and manipulate traffic.

Affected Systems

The vulnerability affects a broad range of FortiWeb versions:

• FortiWeb versions 8.0.0 through 8.0.1
• FortiWeb versions 7.6.0 through 7.6.4
• FortiWeb versions 7.4.0 through 7.4.9
• FortiWeb versions 7.2.0 through 7.2.11
• FortiWeb versions 7.0.0 through 7.0.11

Exploitation Status

Both Fortinet and CISA have confirmed that CVE-2025-64446 is being actively exploited in attacks. Edge devices like firewalls and WAFs are high-value targets for threat actors because they are internet-facing and can provide a direct gateway into a corporate network. Exploitation of such devices is often a precursor to broader network intrusion, data theft, or ransomware deployment.

Impact Assessment

The impact of exploiting this vulnerability is severe. A compromised WAF can no longer be trusted to protect the web applications behind it. An attacker with administrative control over a FortiWeb device could:

• Disable security policies, leaving web applications exposed to attack.
• Intercept, view, or modify sensitive traffic passing through the WAF.
• Use the compromised device as a pivot point to launch attacks against the internal network.
• Establish persistent access to the network perimeter.

Given its position on the network edge, a compromised FortiWeb appliance is a critical breach that can undermine an organization's entire security posture.

Cyber Observables for Detection

• url_pattern: Look for suspicious URL patterns containing path traversal sequences like ..%2f or ../ in requests to the FortiWeb management interface.
• log_source: FortiWeb device logs (HTTP/S traffic logs, system event logs).
• command_line_pattern: On the device itself, look for the execution of unexpected commands by the web server process (e.g., sh, bash, wget, curl).

Detection Methods

• Log Analysis: Scrutinize FortiWeb's web server access logs for any requests containing path traversal sequences or attempts to access system files outside of the web root. Use D3FEND's URL Analysis (D3-UA) to identify malicious requests.
• Network Traffic Analysis: Monitor traffic to and from the FortiWeb management interface. Any unexpected outbound connections from the device could indicate a compromise. This aligns with D3FEND's Outbound Traffic Filtering (D3-OTF).
• Integrity Checks: If possible, perform integrity checks on the FortiWeb device's file system to look for unauthorized modifications or the presence of malicious scripts.

Remediation Steps

• Patch Immediately: The only effective remediation is to apply the security updates provided by Fortinet. Due to the active exploitation, this should be treated as an emergency change. This is a direct application of D3FEND's Software Update (D3-SU).
• Restrict Access: As a compensating control, ensure that the FortiWeb management interface is not exposed to the public internet. Access should be restricted to a secure, internal management network. This aligns with Network Isolation (D3-NI).
• Hunt for Compromise: After patching, it is crucial to assume the device may have been compromised. Review logs for signs of exploitation that occurred before the patch was applied. If any signs are found, trigger a full incident response process.