Fortinet Releases Security Advisory for Relative Path Traversal Vulnerability Affecting FortiWeb Products

CISA is aware of exploitation of a newly disclosed vulnerability, CVE-2025-64446, in Fortinet FortiWeb, a web application firewall. This vulnerability affects the following FortiWeb versions:¹

• 8.0.0 through 8.0.1
• 7.6.0 through 7.6.4
• 7.4.0 through 7.4.9
• 7.2.0 through 7.2.11
• 7.0.0 through 7.0.11

CVE-2025-64446 is a relative path traversal vulnerability CWE-23: Relative Path Traversal that may allow an unauthenticated malicious actor to execute administrative commands on a system via specially crafted HTTP or HTTPS requests. 

Fortinet recommends affected organizations:

• Apply the necessary upgrades listed in the table below and Fortinet’s guidance.

  Version	Affected	Solution
  FortiWeb 8.0	8.0.0 through 8.0.1	Upgrade to 8.0.2 or above
  FortiWeb 7.6	7.6.0 through 7.6.4	Upgrade to 7.6.5 or above
  FortiWeb 7.4	7.4.0 through 7.4.9	Upgrade to 7.4.10 or above
  FortiWeb 7.2	7.2.0 through 7.2.11	Upgrade to 7.2.12 or above
  FortiWeb 7.0	7.0.0 through 7.0.11	Upgrade to 7.0.12 or above

• If you cannot immediately upgrade the affected systems, disable HTTP or HTTPS for internet-facing interfaces. Note: Limiting access to HTTP/HTTPS management interfaces to internal networks is a best practice that reduces, but does not eliminate, risk; upgrading the affected systems remains essential and is the only way to fully remediate this vulnerability.
• After upgrading, review configuration and review logs for unexpected modifications or the addition of unauthorized administrator accounts.

CISA added CVE-2025-64446 to its Known Exploited Vulnerabilities (KEV) Catalog on Nov. 14, 2025.

Disclaimer

Note: This Alert may be updated to reflect new guidance issued by CISA or other parties. 

Organizations should report incidents and anomalous activity to CISA’s 24/7 Operations Center at contact@cisa.dhs.gov or (888) 282-0870.   

The information in this report is being provided “as is” for informational purposes only. CISA does not endorse any commercial entity, product, company, or service, including any entities, products, or services linked within this document. Any reference to specific commercial entities, products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply endorsement, recommendation, or favoring by CISA

Notes

¹ FortiGuard Labs, Path confusion vulnerability in GUI (November 14, 2025), https://fortiguard.fortinet.com/psirt/FG-IR-25-910. 

Source link