The critical **CVE-2025-64446** vulnerability in **Fortinet FortiWeb WAF** allows unauthenticated attackers to gain **administrative access** via a **relative path-traversal flaw (CWE-23)**. Exploitation enables full system control, including **disabling security measures, intercepting sensitive data (e.g., credentials, financial transactions), and lateral movement into corporate networks**. While no confirmed ransomware link exists, the flaw’s severity—**CVSS Critical**—and active exploitation by threat actors pose **immediate operational risks**, including **data breaches, unauthorized command execution, and potential downstream infrastructure compromise**. CISA’s **7-day remediation deadline (Nov 21, 2025)** underscores the urgency, with federal agencies and private organizations at risk of **deep network infiltration, privilege escalation, and exposure of protected applications**. Failure to patch could lead to **sustained attacker presence, data exfiltration, or disruption of business-critical services**.
Source: https://cyberpress.org/fortinet-fortiweb-waf-vulnerability/
Fortinet cybersecurity rating report: https://www.rankiteo.com/company/fortinet
"id": "FOR4992549111825",
"linkid": "fortinet",
"type": "Vulnerability",
"date": "11/2025",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization’s existence"{'affected_entities': [{'industry': 'Public Sector',
'location': 'United States',
'name': 'Federal Civilian Executive Branch Agencies '
'(U.S.)',
'type': 'Government'},
{'location': 'Global',
'type': 'Organizations using Fortinet FortiWeb WAF'}],
'attack_vector': ['Network', 'HTTP/HTTPS Requests'],
'customer_advisories': ['Fortinet customer advisory to patch FortiWeb WAF '
'systems'],
'data_breach': {'data_exfiltration': ['Possible if attackers intercept or '
'pivot to other systems'],
'personally_identifiable_information': ['Potential risk if '
'PII transmitted '
'through WAF'],
'sensitivity_of_data': ['High (potential for intercepted '
'sensitive data, including PII or '
'payment info)'],
'type_of_data_compromised': ['Potentially any data '
'transmitted through or stored '
'on FortiWeb WAF']},
'date_publicly_disclosed': '2025-11-14',
'description': 'The Cybersecurity and Infrastructure Security Agency (CISA) '
'has added a critical Fortinet FortiWeb vulnerability '
'(CVE-2025-64446) to its Known Exploited Vulnerabilities (KEV) '
'catalog. This relative path-traversal flaw enables '
'unauthenticated attackers to gain administrative access to '
'affected FortiWeb WAF systems by sending crafted HTTP/HTTPS '
'requests. Exploitation grants full privileges, allowing '
'attackers to execute commands, disable security controls, '
'intercept sensitive data, and pivot laterally within '
'corporate networks. CISA mandates remediation by November 21, '
'2025, for federal agencies under BOD 22-01 and strongly '
'recommends all organizations prioritize patching.',
'impact': {'brand_reputation_impact': ['Potential reputational damage due to '
'exploitation of critical '
'infrastructure'],
'data_compromised': ['Potential interception of sensitive data '
'passing through WAF'],
'operational_impact': ['Administrative access to WAF',
'Command execution with full privileges',
'Security control bypass',
'Lateral movement risk'],
'payment_information_risk': ['Potential interception of sensitive '
'data (e.g., payment info) if '
'transmitted through WAF'],
'systems_affected': ['Fortinet FortiWeb WAF',
'Protected applications',
'Downstream infrastructure']},
'initial_access_broker': {'backdoors_established': ['Potential if attackers '
'maintain access '
'post-exploitation'],
'entry_point': ['Exposed FortiWeb WAF (HTTP/HTTPS)'],
'high_value_targets': ['Protected applications '
'behind WAF',
'Downstream infrastructure']},
'investigation_status': 'Active exploitation confirmed; remediation ongoing',
'lessons_learned': ['Critical vulnerabilities in perimeter security devices '
'(e.g., WAFs) pose severe risks due to their privileged '
'network position.',
'Unauthenticated flaws with administrative access '
'capabilities are high-priority targets for threat '
'actors.',
'Federal mandates (e.g., BOD 22-01) enforce rapid '
'remediation timelines for known exploited '
'vulnerabilities.',
'Network segmentation and log monitoring are essential '
'for limiting post-exploitation impact.'],
'post_incident_analysis': {'corrective_actions': ['Vendor patch to validate '
'and neutralize path '
'traversal attempts',
'Enhanced default security '
'configurations for '
'FortiWeb',
'Improved logging and '
'detection for '
'path-traversal attempts'],
'root_causes': ['Improper validation of path '
'elements in FortiWeb WAF (CWE-23)',
'Lack of authentication '
'requirements for critical '
'administrative functions',
'Potential misconfigurations in '
'internet-facing deployments']},
'recommendations': ['Immediately patch Fortinet FortiWeb WAF systems to the '
'latest version per vendor guidance.',
'Prioritize remediation for internet-facing FortiWeb '
'deployments.',
'Implement network segmentation to isolate WAF systems '
'and limit lateral movement.',
'Monitor access logs for indicators of exploitation '
'(e.g., unusual HTTP/HTTPS requests).',
'Review and update incident response plans to include '
'WAF-specific compromise scenarios.',
'Consider compensating controls (e.g., enhanced '
'monitoring) if patches cannot be applied immediately.',
'Evaluate the necessity of FortiWeb in the architecture '
'if vendor mitigations are delayed or unavailable.'],
'references': [{'date_accessed': '2025-11-14',
'source': 'CISA Known Exploited Vulnerabilities (KEV) '
'Catalog'},
{'source': 'Fortinet Security Advisory for CVE-2025-64446'},
{'source': 'CISA Binding Operational Directive (BOD) 22-01'}],
'regulatory_compliance': {'regulations_violated': ['Binding Operational '
'Directive (BOD) 22-01 '
'(for U.S. federal '
'agencies)'],
'regulatory_notifications': ['CISA KEV catalog '
'inclusion '
'(2025-11-14)']},
'response': {'containment_measures': ['Network segmentation to limit lateral '
'movement'],
'enhanced_monitoring': ['Review access logs for exploitation '
'attempts'],
'network_segmentation': True,
'remediation_measures': ['Apply security patches per Fortinet’s '
'vendor instructions',
'Implement BOD 22-01 guidance for cloud '
'services',
'Discontinue use of affected products '
'if mitigations unavailable',
'Review access logs for suspicious '
'HTTP/HTTPS requests']},
'stakeholder_advisories': ['CISA advisory for federal agencies (remediation '
'deadline: 2025-11-21)'],
'title': 'Critical Fortinet FortiWeb Path Traversal Vulnerability '
'(CVE-2025-64446) Actively Exploited',
'type': ['Vulnerability Exploitation',
'Unauthenticated Access',
'Path Traversal'],
'vulnerability_exploited': {'active_exploitation': True,
'cve_id': 'CVE-2025-64446',
'cvss_score': 'Critical',
'cwe_id': 'CWE-23',
'product': 'FortiWeb WAF',
'vendor': 'Fortinet',
'vulnerability_type': 'Relative Path Traversal'}}