The Cybersecurity and Infrastructure Security Agency (CISA) identified a critical **path-traversal vulnerability (CVE-2025-64446)** in Fortinet’s **FortiWeb web application firewall**, allowing unauthenticated attackers to gain **administrative access** via malicious HTTP/HTTPS requests. Exploitation grants deep network visibility, enabling attackers to **disable security controls, intercept sensitive data, or pivot laterally** across systems. While no confirmed ransomware link exists, the flaw’s severity—coupled with active exploitation—poses a **high risk of unauthorized access, data exposure, or system compromise**. CISA mandated a **7-day patching deadline** for federal agencies, urging all organizations to apply mitigations immediately. Failure to remediate could lead to **full administrative takeover of FortiWeb devices**, compromising protected applications and facilitating broader network infiltration. The vulnerability’s inclusion in CISA’s **Known Exploited Vulnerabilities (KEV) catalog** underscores its criticality and ongoing abuse by threat actors.
Source: https://gbhackers.com/cisa-reports-active-attacks-on-fortiweb-waf-vulnerability/
TPRM report: https://www.rankiteo.com/company/fortinet
"id": "for2232822111825",
"linkid": "fortinet",
"type": "Vulnerability",
"date": "6/2025",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization’s existence"{'affected_entities': [{'industry': 'Cybersecurity',
'name': 'Fortinet',
'type': 'Technology Vendor'}],
'attack_vector': ['Network', 'HTTP/HTTPS Requests'],
'customer_advisories': ['Apply patches immediately or discontinue use of '
'affected FortiWeb versions.',
'Review logs for indicators of exploitation (e.g., '
'unusual admin commands via HTTP/HTTPS).'],
'date_publicly_disclosed': '2025-11-14',
'description': 'The Cybersecurity and Infrastructure Security Agency (CISA) '
'has added a critical Fortinet FortiWeb vulnerability '
'(CVE-2025-64446) to its Known Exploited Vulnerabilities (KEV) '
'catalog. The flaw, a relative path traversal vulnerability '
'(CWE-23), allows unauthenticated attackers to gain '
'administrative access to affected systems via specially '
'crafted HTTP/HTTPS requests. CISA warns of active '
'exploitation in the wild and mandates remediation by November '
'21, 2025, for federal agencies under BOD 22-01. The '
'vulnerability poses severe risks, including potential '
'ransomware initial access, deep network visibility, and '
'security control bypass.',
'impact': {'brand_reputation_impact': ['Potential Reputation Damage Due to '
'Exploitation of Critical Security '
'Flaw'],
'operational_impact': ['Potential Bypass of Security Controls',
'Network Visibility for Attackers',
'Lateral Movement Risk'],
'systems_affected': ['Fortinet FortiWeb Web Application Firewall']},
'initial_access_broker': {'entry_point': ['FortiWeb Path Traversal '
'(CVE-2025-64446)'],
'high_value_targets': ['Web Application Firewall '
'(WAF) Configurations',
'Protected Applications',
'Network Security Controls']},
'investigation_status': 'Active Exploitation Confirmed (per CISA KEV Catalog)',
'lessons_learned': ['Critical vulnerabilities in security appliances (e.g., '
'WAFs) can enable deep network compromise if exploited.',
'Path traversal flaws in authentication mechanisms pose '
'severe risks for unauthorized administrative access.',
'Proactive patching and log monitoring are essential for '
'mitigating zero-day and known exploited '
'vulnerabilities.'],
'motivation': ['Unauthorized Access',
'Potential Ransomware Initial Access',
'Data Theft',
'Lateral Movement'],
'post_incident_analysis': {'corrective_actions': ['Fortinet to release '
'patches addressing '
'CVE-2025-64446.',
'Organizations to enforce '
'strict patch management '
'for security appliances.',
'Enhance WAF rule sets to '
'detect and block path '
'traversal attempts.'],
'root_causes': ['Relative path traversal '
'vulnerability (CWE-23) in '
'FortiWeb’s authentication '
'mechanism.',
'Insufficient input validation for '
'pathname construction in '
'HTTP/HTTPS request handling.']},
'recommendations': ['Immediately patch Fortinet FortiWeb deployments to the '
'latest secure version.',
'Implement network segmentation to contain potential '
'breaches involving FortiWeb devices.',
'Monitor access logs for anomalous HTTP/HTTPS requests '
'targeting FortiWeb appliances.',
'Prioritize remediation of CISA KEV-listed '
'vulnerabilities to reduce exposure to active threats.',
'Evaluate compensatory controls (e.g., WAF rules, IPS '
'signatures) if patching is delayed.'],
'references': [{'date_accessed': '2025-11-14',
'source': 'CISA Known Exploited Vulnerabilities (KEV) '
'Catalog'},
{'source': 'Fortinet Security Advisory (CVE-2025-64446)'},
{'source': 'CISA Binding Operational Directive (BOD) 22-01'}],
'regulatory_compliance': {'regulatory_notifications': ['CISA KEV Catalog '
'Inclusion (BOD 22-01 '
'for Federal '
'Agencies)']},
'response': {'communication_strategy': ['CISA Advisory (KEV Catalog Addition)',
'Vendor Notification (Fortinet)'],
'containment_measures': ['Apply Security Patches',
'Discontinue Use of Affected Products '
'(if mitigations unavailable)'],
'enhanced_monitoring': ['Monitor for exploitation attempts via '
'HTTP/HTTPS requests'],
'network_segmentation': ['Implement to limit lateral movement if '
'FortiWeb is compromised'],
'remediation_measures': ['Patch FortiWeb deployments per '
'Fortinet’s vendor instructions',
'Follow BOD 22-01 guidance for cloud '
'services',
'Review access logs for suspicious '
'HTTP/HTTPS requests']},
'stakeholder_advisories': ['CISA Advisory for Federal Agencies (BOD 22-01)',
'Fortinet Customer Notification'],
'title': 'Critical Fortinet FortiWeb Path Traversal Vulnerability '
'(CVE-2025-64446) Actively Exploited',
'type': ['Vulnerability Exploitation',
'Unauthenticated Access',
'Path Traversal'],
'vulnerability_exploited': {'cve_id': 'CVE-2025-64446',
'cwe_id': 'CWE-23',
'description': 'Relative path traversal '
'vulnerability in Fortinet '
'FortiWeb web application '
'firewall, allowing '
'unauthenticated administrative '
'command execution via crafted '
'requests.'}}