Critical Path Traversal Auth Bypass (CVE‑2025‑64446) in Fortinet FortiWeb WAF Affects Multiple Versions
What Happened – A critical path‑traversal flaw (CVE‑2025‑64446) in Fortinet FortiWeb 8.0.1 and several earlier releases allows an unauthenticated remote attacker to bypass the administrative login and gain full control of the WAF. The exploit works over the network by sending specially‑crafted HTTP/HTTPS requests that skip normal directory checks.
Why It Matters for TPRM –
- The vulnerability can expose configuration data and enable malicious changes to security policies protecting downstream applications.
- A compromised WAF may become a pivot point for attacks against your organization’s web services and APIs.
- Many third‑party SaaS and cloud providers rely on FortiWeb as a front‑line defense; a breach can cascade to their customers.
Who Is Affected – Enterprises that deploy FortiWeb as a Web Application Firewall or API gateway, across sectors such as finance, healthcare, retail, and cloud‑based SaaS.
Recommended Actions –
- Verify the exact FortiWeb version in use and compare against the vulnerable matrix.
- Prioritize patching to the fixed releases (e.g., 8.0.2, 7.6.5, 7.4.10, etc.).
- If patching is delayed, restrict administrative interfaces to trusted internal networks and disable public HTTP/HTTPS admin access.
- Enable logging and monitor for anomalous traversal‑style request patterns.
Technical Notes – The flaw stems from insufficient path normalization in the request handling layer, enabling remote unauthenticated attackers to traverse directory restrictions and reach admin endpoints. CVSS v3.1 score 9.8 (Critical). No CVE‑specific exploit code was publicly released at the time of writing, but proof‑of‑concept scripts are available on Exploit‑DB (EDB‑ID 52495). Source: Exploit‑DB 52495