CVE-2025-64446: Fortinet FortiWeb Zero-Day Path Traversal Vulnerability Exploited in the Wild

Fortinet has released an advisory for a recently disclosed zero-day path traversal vulnerability which has been exploited in the wild. Organizations are urged to patch immediately.

Background

On October 6, Defused published an X post regarding an unknown exploit targeting Fortinet devices. Shortly after, several cyber security organizations began investigating and confirming that a new exploit appeared to have silently been fixed in some releases of Fortinet’s FortiWeb. This includes researchers at WatchTowr who were able to reproduce the vulnerability. Within hours of their publication, Fortinet released a security advisory acknowledging that CVE-2025-64446 has been exploited in the wild.

Analysis

CVE-2025-64446 is a relative path traversal vulnerability affecting Fortinet’s FortiWeb. An unauthenticated attacker could exploit this vulnerability to execute arbitrary commands on an affected device. According to the advisory and several reports released prior to the publication of the security advisory, this vulnerability has been exploited in the wild.

Security advisory released days after exploitation

While it’s not clear when exploitation was first observed, researchers at Defused were the first to raise the alarm about the unknown exploit targeting Fortinet devices.

⚠️Unknown Fortinet exploit (possibly a CVE-2022-40684 variant) from 64.95.13.8 🇺🇸 ( BLNWX ) 

VirusTotal Detections: 0/95 🟢 

JWT payload translates into:

{
"username": "admin",
"profname": "prof_admin",
"vdom": "root",
"loginname": "admin"
} pic.twitter.com/IdTcdxBuBf

— Defused (@DefusedCyber) October 6, 2025

On November 13, WatchTowr posted on X proof that they had reproduced the exploit and followed up the following day with a blog and the release of an artifact generator on GitHub.

another exploited in-the-wild FortiWeb vuln? It must be Thursday! pic.twitter.com/F9TQgdJQ4l

— watchTowr (@watchtowrcyber) November 13, 2025

Prior to the publication of the security advisory (FG-IR-25-910) from Fortinet, several research groups began testing the exploit to determine which versions were affected and which were patched. Although several new releases appeared to contain a fix based on testing of the exploit, confirmed patch information was not available until Fortinet published their security advisory.

Historical Exploitation of Fortinet Devices

Fortinet vulnerabilities have historically been common targets for cyber attackers, and CVE-2025-64446 is the twenty-first Fortinet vulnerability to be added to the Cybersecurity and Infrastructure Security Agency’s (CISA) Known Exploited Vulnerabilities (KEV) list. The Research Special Operations Team has written blogs about several of these vulnerabilities as shown in the table below:

Proof of concept

At the time this blog was published on November 14, several public exploits had been released. In addition, active exploitation of this vulnerability has been observed. The combination of public exploits and known exploitation means that this vulnerability should be mitigated as soon as possible.

Solution

Fortinet has released patches for the following FortiWeb versions:

In addition, Fortinet provides the workaround of disabling HTTP or HTTPS on any public (internet) facing devices in order to reduce risk. While patching is still recommended, this mitigation can be used to reduce risk until patching can be completed. According to Fortinet, access to the management interface via HTTP/HTTPS should be restricted to only be accessed internally and not be publicly exposed.

Identifying affected systems

A list of Tenable plugins for this vulnerability can be found on the individual CVE page for CVE-2025-64446 as they’re released. This link will display all available plugins for this vulnerability, including upcoming plugins in our Plugins Pipeline. Tenable Web App Scanning plugin ID 115040 will also be available soon.

Additionally, customers can utilize Tenable Attack Surface Management to identify public facing Fortinet devices by using the following subscription:

Get more information

• Fortinet security advisory FG-IR-25-910
• WatchTowr blog: When The Impersonation Function Gets Used To Impersonate Users (Fortinet FortiWeb (??) Auth. Bypass)

Join Tenable's Research Special Operations (RSO) Team on Tenable Connect and engage with us in the Threat Roundtable group for further discussions on the latest cyber threats.

Learn more about Tenable One, the Exposure Management Platform for the modern attack surface.