Alerts
Critical Vulnerability in FortiWeb Web Application Firewall
17 November 2025
Fortinet has released security updates to address a critical severity vulnerability in FortiWeb Web Application Firewall. Users and administrators of affected products are advised to update to the latest versions immediately.
Background
Fortinet has released security updates to address a critical vulnerability (CVE-2025-64446) in FortiWeb Web Application Firewall. This vulnerability has a Common Vulnerability Scoring System (CVSSv3.1) score of 9.8 out of 10.
Impact
Successful exploitation of the path confusion vulnerability could allow an unauthenticated attacker to execute administrative commands via crafted HTTP or HTTPS requests.
Known Exploitation
The proof-of-concept exploit is reportedly publicly available, with the vulnerability reportedly being exploited in the wild.
Affected Products
The vulnerability affects the following versions:
FortiWeb versions 8.0.1 and earlier
FortiWeb versions 7.6.4 and earlier
FortiWeb versions 7.4.9 and earlier
FortiWeb versions 7.2.11 and earlier
FortiWeb versions 7.0.11 and earlier
Mitigation
Users and administrators of affected product versions are strongly advised to update to the latest versions immediately. Administrators who are not able to immediately upgrade to patched versions should disable HTTP or HTTPS for all internet-facing management interfaces and ensure that access is restricted to trusted networks.
It is also recommended to check configuration and review logs for other unexpected modifications such as addition of new unauthorised administrator accounts.
Administrators can identify vulnerable devices via the tool "FortiWeb Authentication Bypass Artifact Generator".
References
https://nvd.nist.gov/vuln/detail/CVE-2025-64446