CVE-2025-64446 is a critical path traversal vulnerability identified in Fortinet FortiWeb, a prominent Web Application Firewall (WAF). With a CVSS score of 9.8, the flaw allows unauthenticated remote attackers to bypass administrative access controls through specially crafted HTTP/HTTPS requests. This issue arises from insufficient path normalization, which can lead to unauthorized configuration exposure or full administrative takeover of the management interface.
The vulnerability impacts a wide range of FortiWeb versions from 7.0.x through 8.0.x. Fortinet has released patches for all affected branches, and users are urged to upgrade to the latest versions (e.g., 8.0.2, 7.6.5, 7.4.10) immediately. Organizations unable to patch should restrict administrative access to trusted internal networks and monitor for traversal-related patterns in their traffic logs.
Top comments (0)