The U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued an urgent warning about **CVE-2025-64446**, a critical **relative path traversal vulnerability (CWE-23)** in Fortinet’s **FortiWeb Web Application Firewall (WAF)**. This flaw allows unauthenticated attackers to bypass authentication and execute **administrative commands remotely**, turning a defensive security appliance into an entry point for deeper network compromise. Exploitation is already active, targeting sectors like **finance, healthcare, and managed hosting**, where FortiWeb protects customer-facing applications.The vulnerability affects versions up to **7.4.7 and 7.6.5**, with patches (7.4.8, 7.6.6) available but adoption lagging. Attackers leveraging this flaw could **disable protections, exfiltrate sensitive data, deploy malware, or pivot into internal networks**. CISA mandated federal agencies to remediate by **November 21, 2025**, under **Binding Operational Directive (BOD) 22-01**, warning that unpatched systems risk becoming **pivot points for ransomware or multi-stage attacks**. While Fortinet confirmed no customer data breaches yet, the **active exploitation in critical sectors** elevates the risk of **large-scale data leaks, operational disruption, or lateral movement into high-value systems** if left unaddressed.
Source: https://www.linkedin.com/pulse/cisa-warns-active-exploitation-critical-fortiweb-to15e
TPRM report: https://www.rankiteo.com/company/fortinet
"id": "for2762227111925",
"linkid": "fortinet",
"type": "Vulnerability",
"date": "11/2025",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization’s existence"{'affected_entities': [{'industry': 'Public Sector',
'location': 'United States',
'name': 'U.S. Federal Agencies (mandated remediation)',
'type': 'Government'},
{'industry': ['Finance',
'Healthcare',
'Managed Hosting'],
'type': 'Organizations'}],
'attack_vector': ['Network',
'Remote Code Execution (RCE)',
'Authentication Bypass'],
'customer_advisories': ['Federal agencies: Mandatory remediation by November '
'21, 2025'],
'data_breach': {'data_exfiltration': ['Potential risk if exploited']},
'date_publicly_disclosed': '2025-11-14',
'description': 'The U.S. Cybersecurity and Infrastructure Security Agency '
'(CISA) has issued an urgent warning concerning a critical '
'flaw in Fortinet’s FortiWeb Web Application Firewall (WAF), '
'tracked as CVE-2025-64446. The vulnerability involves a '
'relative path traversal weakness (CWE-23) that allows '
'attackers to bypass authentication and execute administrative '
'commands directly on the device. It has been added to CISA’s '
'Known Exploited Vulnerabilities (KEV) catalog, with a '
'mandatory remediation deadline of November 21, 2025, for '
'federal agencies. Active exploitation has been observed in '
'sectors such as finance, healthcare, and managed hosting, '
'with threat actors leveraging the flaw to gain administrative '
'access, disable protections, exfiltrate data, or pivot deeper '
'into networks.',
'impact': {'brand_reputation_impact': ['Potential erosion of trust in '
'Fortinet security products',
'Reputational damage for affected '
'organizations'],
'legal_liabilities': ['Non-compliance with CISA BOD 22-01 for '
'federal agencies',
'Potential regulatory scrutiny for delayed '
'patching'],
'operational_impact': ['Potential disruption of web application '
'security',
'Risk of lateral movement into corporate '
'networks'],
'systems_affected': ['FortiWeb WAF appliances (unpatched '
'versions)']},
'initial_access_broker': {'backdoors_established': ['Potential for persistent '
'malware deployment'],
'entry_point': ['FortiWeb WAF path traversal '
'vulnerability (CVE-2025-64446)'],
'high_value_targets': ['Finance, healthcare, and '
'managed hosting sectors']},
'investigation_status': 'Ongoing (active exploitation confirmed; no '
'attribution disclosed)',
'lessons_learned': ['Security appliances (e.g., WAFs, firewalls) are '
'high-value targets due to their network edge position '
'and elevated privileges.',
'Vulnerabilities in security tools can invert defensive '
'controls into attack vectors.',
'Organizations must accelerate patching timelines for '
'edge appliances to mitigate exploitation risks.',
'Network segmentation and strict access controls are '
'critical for limiting exposure when patches are '
'delayed.'],
'motivation': ['Opportunistic Exploitation',
'Potential Data Exfiltration',
'Lateral Movement',
'Persistence'],
'post_incident_analysis': {'corrective_actions': ['Apply vendor-provided '
'patches promptly',
'Implement compensatory '
'controls (e.g., '
'segmentation, monitoring) '
'for unpatchable systems',
'Review and update '
'vulnerability management '
'processes for edge '
'appliances'],
'root_causes': ['Relative path traversal weakness '
'(CWE-23) in FortiWeb WAF',
'Delayed patching due to '
'operational constraints or '
'technical debt',
'Insufficient network segmentation '
'for security appliances']},
'recommendations': ['Immediately apply Fortinet patches (7.4.8 or 7.6.6) for '
'FortiWeb appliances.',
'Isolate unpatched devices and monitor for signs of '
'exploitation (e.g., unfamiliar admin activity, traffic '
'anomalies).',
'Implement network segmentation to restrict '
'administrative access to FortiWeb appliances.',
'Enforce VPN-only access pathways and enable strict '
'logging for administrative actions.',
'Prioritize vulnerability management for security '
'appliances to reduce technical debt and exposure.',
'For cloud deployments, enhance monitoring of access logs '
'and outbound connections.'],
'references': [{'date_accessed': '2025-11-14',
'source': 'CISA Known Exploited Vulnerabilities (KEV) '
'Catalog'},
{'source': 'Fortinet Security Advisory (FG-IR-25-910)'}],
'regulatory_compliance': {'regulations_violated': ['CISA Binding Operational '
'Directive (BOD) 22-01 (if '
'unpatched by deadline)'],
'regulatory_notifications': ['Mandatory remediation '
'deadline of November '
'21, 2025, for federal '
'agencies']},
'response': {'communication_strategy': ['CISA advisory',
'Fortinet security bulletin '
'(FG-IR-25-910)'],
'containment_measures': ['Isolate affected FortiWeb appliances '
'from broader network communication',
'Restrict administrative access via '
'network segmentation and VPN-only '
'pathways',
'Monitor for unfamiliar administrative '
'activity or web traffic anomalies'],
'enhanced_monitoring': ['Sustained monitoring of access logs, '
'unexpected requests, and outbound '
'connections'],
'incident_response_plan_activated': ['CISA Binding Operational '
'Directive (BOD) 22-01 for '
'federal agencies'],
'network_segmentation': ['Restrict administrative access to '
'FortiWeb appliances'],
'remediation_measures': ['Apply patches (7.4.8 or 7.6.6) '
'immediately',
'Remove or replace unpatchable '
'appliances']},
'stakeholder_advisories': ['CISA urgent warning', 'Fortinet patch advisory'],
'title': 'Critical Path Traversal Vulnerability in Fortinet FortiWeb WAF '
'(CVE-2025-64446)',
'type': ['Vulnerability Exploitation',
'Unauthorized Access',
'Path Traversal'],
'vulnerability_exploited': {'affected_versions': ['FortiWeb builds up to '
'7.4.7',
'FortiWeb builds up to '
'7.6.5'],
'cve_id': 'CVE-2025-64446',
'cwe_id': 'CWE-23',
'description': 'Relative path traversal weakness '
'allowing unauthenticated '
'administrative command execution '
'via crafted HTTP/HTTPS requests.',
'patched_versions': ['7.4.8', '7.6.6']}}