🔴 CVE-2025-64446

Critical path traversal vulnerability in Fortinet FortiWeb web application firewalls allows remote execution of administrative commands via crafted HTTP/HTTPS requests. Active exploitation is occurring in the wild with attackers creating administrative accounts for persistent access.

← Back to Overview
HIGH_RISK
Risk Level
9.1
CVSS Score
NETWORK
Attack Vector
Initial Access
ATT&CK Tactic
T1190 — Exploit Public-Facing Application
ATT&CK Technique
VERY_HIGH
Deployment Risk
No
Ransomware

📋 Vulnerability Details

Data Source: CIRCL

Confidence: HIGH

Exploitation Method: DIRECT_NETWORK

CVE Published: 2025-11-14

Added to CISA KEV: 2025-11-14 0 DAY BETWEEN CVE AND KEV

🎯 Recommendations:

🔍 Web Intelligence (Kagi · 2025-11-14)

CVE-2025-64446 is a critical relative path traversal vulnerability affecting Fortinet FortiWeb that allows for remote execution of administrative commands [2]. Here's a breakdown of what is known about its exploitation:

  • Affected Applications/Services: The vulnerability affects internet-facing applications and services, specifically FortiWeb appliances [1].
  • Active Exploitation: There is evidence of active, indiscriminate exploitation in the wild since early November 2025 [4][1]. Attackers are creating administrative accounts and gaining persistent access to affected systems [1].
  • Attack Vectors/Exploitation Methods: The attack vector is network-based, leading to full administrative compromise [1]. The vulnerability is a relative path traversal, enabling remote execution of administrative commands [2].
  • Targeted Attacks: While not explicitly stated, the nature of the exploitation suggests it could be used in targeted attacks [1].
  • CISA KEV Status: As of now, CVE-2025-64446 is not listed in the CISA Known Exploited Vulnerabilities (KEV) catalog [3]. However, CISA has added other Fortinet vulnerabilities to the KEV catalog in the past [6][5].
  • Technical Details: It is a relative path traversal vulnerability that allows for remote execution of administrative commands [2].

Sources

  1. Threat Advisory : Fortinet FortiWeb active exploit (Nov 2025)

    Summary (TL;DR) A Fortinet FortiWeb vulnerability is being actively exploited in the wild to create administrative accounts and gain persistent access to Internet-exposed FortiWeb appliances. Public proof-of-concept / exploit activity and weaponized code have appeared, and multiple monitoring/honeyp…

  2. CVE-2025-64446 : A relative path traversal vulnerability in Fortinet ...

    Vulnerability Details : CVE-2025-64446 Fortinet FortiWeb Relative Path Traversal Vulnerability Allows Remote Execution of Administrative Commands…

  3. Known Exploited Vulnerabilities Catalog

    CISA maintains the authoritative source of vulnerabilities that have been exploited in the wild. Organizations should use the KEV catalog as an input to their ...

  4. Now-Patched Fortinet FortiWeb Flaw Exploited in Attacks to Create Admin ...

    Cybersecurity researchers are sounding the alert about an authentication bypass vulnerability in Fortinet Fortiweb WAF that could allow an attacker to take over admin accounts and completely compromise a device. "The watchTowr team is seeing active, indiscriminate in-the-wild exploitation of what ap…

  5. CISA Adds Three Known Exploited Vulnerabilities to Catalog

    CISA has added three new vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation.

Generated by PatchNow Intelligence System

Analysis based on CIRCL.LU data, Claude AI assessment, and MITRE ATT&CK framework

📄 Download JSON Data | 📡 RSS Feed