CVE-2025-64446: Fortinet FortiWeb Zero-Day Path Traversal Vulnerability Exploited in the Wild
Fortinet has released an advisory for a recently disclosed zero-day path traversal vulnerability which has been exploited in the wild. Organizations are urged to patch immediately.
Background
On October 6, Defused published an X post regarding an unknown exploit targeting Fortinet devices. Shortly after, several cyber security organizations began investigating and confirming that a new exploit appeared to have silently been fixed in some releases of Fortinet’s FortiWeb. This includes researchers at WatchTowr who were able to reproduce the vulnerability. Within hours of their publication, Fortinet released a security advisory acknowledging that CVE-2025-64446 has been exploited in the wild.
| CVE | Description | CVSSv3 |
|---|---|---|
| CVE-2025-64446 | Fortinet FortiWeb Path Traversal Vulnerability | 9.1 |
Analysis
CVE-2025-64446 is a relative path traversal vulnerability affecting Fortinet’s FortiWeb. An unauthenticated attacker could exploit this vulnerability to execute arbitrary commands on an affected device. According to the advisory and several reports released prior to the publication of the security advisory, this vulnerability has been exploited in the wild.
Security advisory released days after exploitation
While it’s not clear when exploitation was first observed, researchers at Defused were the first to raise the alarm about the unknown exploit targeting Fortinet devices.
⚠️Unknown Fortinet exploit (possibly a CVE-2022-40684 variant) from 64.95.13.8 🇺🇸 ( BLNWX )
VirusTotal Detections: 0/95 🟢
JWT payload translates into:
{
"username": "admin",
"profname": "prof_admin",
"vdom": "root",
"loginname": "admin"
} pic.twitter.com/IdTcdxBuBf— Defused (@DefusedCyber) October 6, 2025
On November 13, WatchTowr posted on X proof that they had reproduced the exploit and followed up the following day with a blog and the release of an artifact generator on GitHub.
another exploited in-the-wild FortiWeb vuln? It must be Thursday! pic.twitter.com/F9TQgdJQ4l
— watchTowr (@watchtowrcyber) November 13, 2025
Prior to the publication of the security advisory (FG-IR-25-910) from Fortinet, several research groups began testing the exploit to determine which versions were affected and which were patched. Although several new releases appeared to contain a fix based on testing of the exploit, confirmed patch information was not available until Fortinet published their security advisory.
Historical Exploitation of Fortinet Devices
Fortinet vulnerabilities have historically been common targets for cyber attackers, and CVE-2025-64446 is the twenty-first Fortinet vulnerability to be added to the Cybersecurity and Infrastructure Security Agency’s (CISA) Known Exploited Vulnerabilities (KEV) list. The Research Special Operations Team has written blogs about several of these vulnerabilities as shown in the table below:
Proof of concept
At the time this blog was published on November 14, several public exploits had been released. In addition, active exploitation of this vulnerability has been observed. The combination of public exploits and known exploitation means that this vulnerability should be mitigated as soon as possible.
Solution
Fortinet has released patches for the following FortiWeb versions:
| Affected Version | Fixed Version |
|---|---|
| 7.0.0 through 7.0.11 | 7.0.12 or above |
| 7.2.0 through 7.2.11 | 7.2.12 or above |
| 7.4.0 through 7.4.9 | 7.4.10 or above |
| 7.6.0 through 7.6.4 | 7.6.5 or above |
| 8.0.0 through 8.0.1 | 8.0.2 or above |
In addition, Fortinet provides the workaround of disabling HTTP or HTTPS on any public (internet) facing devices in order to reduce risk. While patching is still recommended, this mitigation can be used to reduce risk until patching can be completed. According to Fortinet, access to the management interface via HTTP/HTTPS should be restricted to only be accessed internally and not be publicly exposed.
Identifying affected systems
A list of Tenable plugins for this vulnerability can be found on the individual CVE page for CVE-2025-64446 as they’re released. This link will display all available plugins for this vulnerability, including upcoming plugins in our Plugins Pipeline. Tenable Web App Scanning plugin ID 115040 will also be available soon.
Additionally, customers can utilize Tenable Attack Surface Management to identify public facing Fortinet devices by using the following subscription:
Get more information
- Fortinet security advisory FG-IR-25-910
- WatchTowr blog: When The Impersonation Function Gets Used To Impersonate Users (Fortinet FortiWeb (??) Auth. Bypass)
Join Tenable's Research Special Operations (RSO) Team on Tenable Connect and engage with us in the Threat Roundtable group for further discussions on the latest cyber threats.
Learn more about Tenable One, the Exposure Management Platform for the modern attack surface.
Scott Caveza
Senior Staff Research Engineer, Research Special Operations
Scott joined Tenable in 2012 as a Research Engineer on the Nessus Plugins team. Over the years, he has written hundreds of plugins for Nessus, and reviewed code for even more from his time being a team lead and manager of the Plugins team. Previously leading the Security Response team and the Zero Day Research team, Scott is currently a member of the Research Special Operations team, helping the research organization respond to the latest threats. He has over a decade of experience in the industry with previous work in the Security Operations Center (SOC) for a major domain registrar and web hosting provider. Scott is a current CISSP and actively maintains his GIAC GWAPT Web Application Penetration Tester certification.
Interests outside of work: Scott enjoys spending time with his family, camping, fishing and being outdoors. He also enjoys finding ways to break web applications and home renovation projects.
Related articles
How Rapid AI Adoption Is Creating an Exposure Gap
As organizations rush to deploy AI, enterprise defenses are struggling to keep up. This blog explores the emerging AI exposure gap — the widening divide between innovation and protection — and what security leaders can do to close it.
Microsoft’s November 2025 Patch Tuesday Addresses 63 CVEs (CVE-2025-62215)
Microsoft addresses 63 CVEs including one zero-day vulnerability which was exploited in the wild.
Tenable Is a Leader in the First-Ever Gartner® Magic Quadrant™ for Exposure Assessment Platforms
Our customers are proving what exposure management can do. Thank you for trusting us to be part of your mission.
- Exposure Management
- Vulnerability Management
Contact our sales team