Fortiweb relative path traversal CVE-2025-64446
Our experts keep you up-to-date on critical cyber threats (CVEs)
A serious vulnerability in FortiWeb, a solution from manufacturer Fortinet, has been discovered and should be patched as soon as possible.
Fortiweb relative path traversal CVE-2025-64446
Fortinet has discovered a critical vulnerability in FortiWeb (CVE-2025-64446). Due to a relative path traversal (CWE-23) in the GUI, unauthenticated attacker(s) can execute administrative commands via custom HTTP/HTTPS requests. It is therefore highly recommended to upgrade to the latest supported version within their current major release as soon as possible.
Take action
This CVE is being actively abused, so it is highly recommended to patch as soon as possible.
We have last week - even before the official communication of Fortinet – our Managed Services customers already informed and patched their environment. So they do not have to do anything.
Affected versions
- FortiWeb 8.0.0-8.0.1 → upgrade to 8.0.2+
- FortiWeb 7.6.0-7.6.4 → upgrade to 7.6.5+
- FortiWeb 7.4.0-7.4.9 → upgrade to 7.4.10+
- FortiWeb 7.2.0-7.2.11 → upgrade to 7.2.12+
- FortiWeb 7.0.0-7.0.11 → upgrade to 7.0.12+
There is also a workaround: Disable HTTP/HTTPS on internet-facing interfaces until the upgrade is done.
It is also recommended to check the configuration and logs after the upgrade for unauthorised changes or accounts!
Need support to patch your Fortiweb? Contact us to fix this issue for you. This can be done via mail at support@vanroey.be or count: 014 470 600. You can also have a create a ticket.
Can't create tickets? Ask here to get an account. If our Engineer needs to remotely control your PC, he or she will ask you to run this software .
