CRITICAL🚩 CISA KEV⚡ EXPLOIT🇵🇱 Wersja polska

CVE-2025-64446

CVSS 9.8v3.1pub. 2025-11-14upd. 2025-11-21

A relative path traversal vulnerability in Fortinet FortiWeb 8.0.0 through 8.0.1, FortiWeb 7.6.0 through 7.6.4, FortiWeb 7.4.0 through 7.4.9, FortiWeb 7.2.0 through 7.2.11, FortiWeb 7.0.0 through 7.0.11 may allow an attacker to execute administrative commands on the system via crafted HTTP or HTTPS requests.

🤖 AI Analysis
How it works

The attacker sends specially crafted HTTP or HTTPS requests containing path traversal sequences (e.g., '../'), which bypass path access control mechanisms. As a result, requests reach system components normally inaccessible to unauthenticated users. The vulnerability allows execution of administrative commands without requiring any credentials, corresponding to the CVSS vector AV:N/AC:L/PR:N/UI:N.

Impact

An unauthenticated attacker can execute arbitrary administrative commands on the FortiWeb device, leading to complete device compromise — loss of confidentiality, integrity, and system availability.

Mitigation & patch

Apply patches available from the vendor according to references (https://fortiguard.fortinet.com/psirt/FG-IR-25-910). Until updates are applied, it is recommended to restrict access to the FortiWeb management interface to trusted IP addresses only and monitor anomalous HTTP/HTTPS requests directed to the administrative panel.

Who is affected

Fortinet FortiWeb in versions: 8.0.0–8.0.1, 7.6.0–7.6.4, 7.4.0–7.4.9, 7.2.0–7.2.11, 7.0.0–7.0.11

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Fortinet Fortiweb

    APP
    Fortinet
    7.0.0 – 7.0.12 (bez)7.2.0 – 7.2.12 (bez)7.4.0 – 7.4.10 (bez)7.6.0 – 7.6.5 (bez)8.0.0 – 8.0.2 (bez)

CISA KEV — detailsi

Vendori
Fortinet
Producti
FortiWeb
Added to KEVi
November 14, 2025
Remediation deadline (US Federal)i
November 21, 2025(overdue)
Required action (CISA)i

Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

CISA descriptioni

Fortinet FortiWeb contains a relative path traversal vulnerability that may allow an unauthenticated attacker to execute administrative commands on the system via crafted HTTP or HTTPS requests.

🔴
IMMEDIATE ACTION
Actively exploited in the wild (CISA KEV). Patch immediately.
CISA DEADLINE: 21 listopada 2025
Tags
Path Traversal
CWE
References

Related vulnerabilities

CVE-2026-24858CRITICAL9.8⚠ KEVPL ✓ten sam produkt

Fortinet – Auth Bypass przez FortiCloud SSO w wielu produktach

CVE-2025-25257CRITICAL9.8⚠ KEVPL ✓ten sam produkt

Krytyczna podatność SQL Injection w Fortinet FortiWeb — obejście uwierzytelnienia

CVE-2025-59719CRITICAL9.8PL ✓ten sam produkt

Fortinet FortiWeb — pominięcie uwierzytelnienia SSO przez spreparowany SAML

CVE-2023-25610CRITICAL9.8PL ✓ten sam produkt

Buffer Underflow w interfejsie administracyjnym Fortinet FortiOS / FortiProxy — RCE bez uwierzytelnienia

CVE-2021-42761CRITICAL9.0ten sam produkt

A condition for session fixation vulnerability [CWE-384] in the session management of FortiWeb versions 6.4 al...