Threat Level Description

IthacaLabs has maintained the Threat Level (High) adding a new observation:

An attack is highly likely. Addressing the broad nature of the threat in order to reach an acceptable risk level, requires additional and sustainable protective security measures combined with specific business and geographical vulnerabilities and judgments.

Description

We have observed that a new Critical pre-authentication relative path traversal vulnerability in Fortinet ‘s FortiWeb has been identified.

An unauthenticated remote attacker, by exploiting this issue via specially crafted HTTP or HTTPS requests, could execute privileged commands on the device without any credentials.

This vulnerability, named CVE-2025-64446, stems from a combination of weaknesses in Fortinet’s FortiWeb dedicated web application firewall (WAF)’s request routing and authentication logic, allowing attackers to execute privileged commands as an administrator.

This issue exists because FortiWeb’s GUI API handler does not properly validate or sanitize URL paths before processing them.

Note that both Fortinet and CISA have confirmed active exploitation in the wild.

Affected Products:

• FortiWeb versions from 8.0.0 through 8.0.1
• FortiWeb versions from 7.6.0 through 7.6.4
• FortiWeb versions from 7.4.0 through 7.4.9
• FortiWeb versions from 7.2.0 through 7.2.11
• FortiWeb versions from 7.0.0 through 7.0.11

Recommendation(s):

You should proceed immediately and apply the relevant security patches and/or upgrade to the latest version provided by the vendor.

If you cannot immediately upgrade the affected systems, disable HTTP or HTTPS for internet-facing interfaces. Limiting access to HTTP/HTTPS management interfaces to internal networks is a best practice that reduces, but does not eliminate, risk.

You should understand the importance of security updates, and the urgency with which they should be applied, no matter how large or small your organization is. It is very important to apply an efficient patch management solution and always have enabled an active event security logging and practice event monitoring. To protect the valuable assets of your business and be compliant with the relevant industry regulations requires a comprehensive approach to the management of risk, including Penetration Testing at least annually and upon significant changes.

Threat Level Description:

Threat Level: High – An attack is highly likely. Addressing the broad nature of the threat in order to reach an acceptable risk level, requires additional and sustainable protective security measures combined with specific business and geographical vulnerabilities and judgments.