CVE-2025-64446 affects Fortinet FortiWeb web application firewalls and is a critical path traversal vulnerability that can lead to unauthenticated remote command execution on vulnerable devices. Rated CVSS 9.1, the flaw allows attackers to send crafted HTTP requests that break out of expected directory paths and execute arbitrary commands in the underlying operating system, mapping to MITRE ATT&CK T1190 (Exploit Public-Facing Application) and T1059 (Command and Scripting Interpreter). Security researchers and vendors including Defused, WatchTowr and Tenable confirm that public exploit code is available and that FortiWeb devices have been exploited in the wild, elevating this from a theoretical web application firewall vulnerability to an actively weaponized zero-day. Analysis of CVE-2025-64446 shows that affected versions include FortiWeb 7.0.0–7.0.11, 7.2.0–7.2.11, 7.4.0–7.4.9, 7.6.0–7.6.4 and 8.0.0–8.0.1, with fixes delivered in 7.0.12, 7.2.12, 7.4.10, 7.6.5 and 8.0.2 respectively. Because FortiWeb often sits directly in front of critical web applications, compromise of the appliance can give attackers a privileged vantage point to intercept traffic, deploy web shells, pivot deeper into the network and disable security inspection. The vulnerability joins a long line of Fortinet device CVEs added to CISA’s Known Exploited Vulnerabilities (KEV) catalog, underscoring how network-edge appliances continue to be prime targets for initial access. From a business-risk perspective, organizations relying on FortiWeb to protect customer-facing portals, online banking, e-commerce or healthcare portals face potential data exposure, service downtime and compliance issues if devices remain unpatched. Because public exploits exist and scanning is trivial, unremediated FortiWeb instances can quickly become entry points for ransomware operations, data-theft crews or state-backed attackers. Regulated sectors subject to GDPR, PCI-DSS or HIPAA should treat exploitation of CVE-2025-64446 as a likely reportable incident if it leads to access to personal data or payment information. Fortinet’s advisory instructs customers to upgrade to the fixed FortiWeb releases and to ensure that HTTP/HTTPS management access is not exposed to the public internet. As a temporary mitigation, Fortinet recommends disabling HTTP/HTTPS on public-facing management interfaces and restricting access to internal networks or VPNs only. Security teams should rapidly inventory FortiWeb deployments, prioritize upgrades for internet-facing devices, and deploy network monitoring to detect suspicious commands or unusual file access originating from FortiWeb hosts. Vulnerability scanners and Tenable plugins for CVE-2025-64446 should be integrated into continuous assessment workflows to validate remediation and identify any lingering exposure.
🎯CORTEX Protocol Intelligence Assessment
Business Impact: CVE-2025-64446 exposes FortiWeb customers to unauthenticated remote command execution on internet-facing security appliances, creating a direct path to compromise of web applications and adjacent infrastructure. Active exploitation and public proof-of-concept code mean organizations that delay patching risk data breaches, operational disruption and regulatory fallout if attackers pivot from compromised WAFs into systems processing personal or payment data. Technical Context: The vulnerability is a relative path traversal in FortiWeb’s HTTP handling that allows crafted URLs to escape expected directory boundaries and trigger arbitrary command execution, mapping to MITRE T1190 and T1059. Impacted versions span multiple major FortiWeb branches, with fixes in 7.0.12, 7.2.12, 7.4.10, 7.6.5 and 8.0.2. Given Fortinet’s history of widely exploited device vulnerabilities and CISA KEV inclusion, rapid patching, hardening of management interfaces and layered monitoring around FortiWeb are essential.
⚡Strategic Intelligence Guidance
- Immediately inventory all FortiWeb deployments and prioritize patching to Fortinet’s fixed versions (7.0.12, 7.2.12, 7.4.10, 7.6.5 or 8.0.2) on any internet-facing devices within 24–48 hours.
- Ensure FortiWeb management interfaces are not exposed to the public internet by restricting HTTP/HTTPS access to internal networks or VPN-only paths and enforcing strong authentication.
- Deploy IDS/IPS and log monitoring around FortiWeb to detect suspicious command execution, anomalous file access and unexpected outbound connections originating from the appliance.
- Integrate Fortinet device CVEs, including CVE-2025-64446, into ongoing vulnerability management and KEV-driven remediation playbooks so that edge appliances are treated as Tier 0 assets with strict SLAs.
Threats
Remote code executionPath traversal exploit
Targets
Web application firewallsInternet-facing web portalsNetwork edge appliances