CVE-2025-64446

🗓️ 14 Nov 2025 15:50:52Reported by fortinetType

cve🔗 web.nvd.nist.gov📰️ 35 Media mentions👁 525 Views🌐 WEB

CVE-2025-64446: FortiWeb relative path traversal enables attackers to execute admin commands via crafted requests.

Reporter	Title	Published	Views	Family All 41
GithubExploit	Exploit for OS Command Injection in Fortinet Fortiweb	4 Mar 202608:31	–	githubexploit
GithubExploit	Exploit for Relative Path Traversal in Fortinet Fortiweb	26 Mar 202611:29	–	githubexploit
GithubExploit	Exploit for Relative Path Traversal in Fortinet Fortiweb	21 Nov 202500:37	–	githubexploit
GithubExploit	Exploit for Relative Path Traversal in Fortinet Fortiweb	18 Nov 202510:25	–	githubexploit
GithubExploit	Exploit for CVE-2025-58034	19 Nov 202509:52	–	githubexploit
GithubExploit	Exploit for OS Command Injection in Fortinet Fortiweb	2 Mar 202614:36	–	githubexploit
Circl	CVE-2025-64446	14 Nov 202515:42	–	circl
CISA KEV Catalog	Fortinet FortiWeb Path Traversal Vulnerability	14 Nov 202500:00	–	cisa_kev
CISA	CISA Adds One Known Exploited Vulnerability to Catalog	14 Nov 202512:00	–	cisa
CISA	Fortinet Releases Security Advisory for Relative Path Traversal Vulnerability Affecting FortiWeb Products	25 Nov 202512:00	–	cisa

NVD

Node

fortinet fortiwebRange7.0.0–7.0.12

fortinet fortiwebRange7.2.0–7.2.12

fortinet fortiwebRange7.4.0–7.4.10

fortinet fortiwebRange7.6.0–7.6.5

fortinet fortiwebRange8.0.0–8.0.2

[
  {
    "vendor": "Fortinet",
    "product": "FortiWeb",
    "cpes": [
      "cpe:2.3:a:fortinet:fortiweb:8.0.1:*:*:*:*:*:*:*",
      "cpe:2.3:a:fortinet:fortiweb:8.0.0:*:*:*:*:*:*:*",
      "cpe:2.3:a:fortinet:fortiweb:7.6.4:*:*:*:*:*:*:*",
      "cpe:2.3:a:fortinet:fortiweb:7.6.3:*:*:*:*:*:*:*",
      "cpe:2.3:a:fortinet:fortiweb:7.6.2:*:*:*:*:*:*:*",
      "cpe:2.3:a:fortinet:fortiweb:7.6.1:*:*:*:*:*:*:*",
      "cpe:2.3:a:fortinet:fortiweb:7.6.0:*:*:*:*:*:*:*",
      "cpe:2.3:a:fortinet:fortiweb:7.4.9:*:*:*:*:*:*:*",
      "cpe:2.3:a:fortinet:fortiweb:7.4.8:*:*:*:*:*:*:*",
      "cpe:2.3:a:fortinet:fortiweb:7.4.7:*:*:*:*:*:*:*",
      "cpe:2.3:a:fortinet:fortiweb:7.4.6:*:*:*:*:*:*:*",
      "cpe:2.3:a:fortinet:fortiweb:7.4.5:*:*:*:*:*:*:*",
      "cpe:2.3:a:fortinet:fortiweb:7.4.4:*:*:*:*:*:*:*",
      "cpe:2.3:a:fortinet:fortiweb:7.4.3:*:*:*:*:*:*:*",
      "cpe:2.3:a:fortinet:fortiweb:7.4.2:*:*:*:*:*:*:*",
      "cpe:2.3:a:fortinet:fortiweb:7.4.1:*:*:*:*:*:*:*",
      "cpe:2.3:a:fortinet:fortiweb:7.4.0:*:*:*:*:*:*:*",
      "cpe:2.3:a:fortinet:fortiweb:7.2.11:*:*:*:*:*:*:*",
      "cpe:2.3:a:fortinet:fortiweb:7.2.10:*:*:*:*:*:*:*",
      "cpe:2.3:a:fortinet:fortiweb:7.2.9:*:*:*:*:*:*:*",
      "cpe:2.3:a:fortinet:fortiweb:7.2.8:*:*:*:*:*:*:*",
      "cpe:2.3:a:fortinet:fortiweb:7.2.7:*:*:*:*:*:*:*",
      "cpe:2.3:a:fortinet:fortiweb:7.2.6:*:*:*:*:*:*:*",
      "cpe:2.3:a:fortinet:fortiweb:7.2.5:*:*:*:*:*:*:*",
      "cpe:2.3:a:fortinet:fortiweb:7.2.4:*:*:*:*:*:*:*",
      "cpe:2.3:a:fortinet:fortiweb:7.2.3:*:*:*:*:*:*:*",
      "cpe:2.3:a:fortinet:fortiweb:7.2.2:*:*:*:*:*:*:*",
      "cpe:2.3:a:fortinet:fortiweb:7.2.1:*:*:*:*:*:*:*",
      "cpe:2.3:a:fortinet:fortiweb:7.2.0:*:*:*:*:*:*:*",
      "cpe:2.3:a:fortinet:fortiweb:7.0.11:*:*:*:*:*:*:*",
      "cpe:2.3:a:fortinet:fortiweb:7.0.10:*:*:*:*:*:*:*",
      "cpe:2.3:a:fortinet:fortiweb:7.0.9:*:*:*:*:*:*:*",
      "cpe:2.3:a:fortinet:fortiweb:7.0.8:*:*:*:*:*:*:*",
      "cpe:2.3:a:fortinet:fortiweb:7.0.7:*:*:*:*:*:*:*",
      "cpe:2.3:a:fortinet:fortiweb:7.0.6:*:*:*:*:*:*:*",
      "cpe:2.3:a:fortinet:fortiweb:7.0.5:*:*:*:*:*:*:*",
      "cpe:2.3:a:fortinet:fortiweb:7.0.4:*:*:*:*:*:*:*",
      "cpe:2.3:a:fortinet:fortiweb:7.0.3:*:*:*:*:*:*:*",
      "cpe:2.3:a:fortinet:fortiweb:7.0.2:*:*:*:*:*:*:*",
      "cpe:2.3:a:fortinet:fortiweb:7.0.1:*:*:*:*:*:*:*",
      "cpe:2.3:a:fortinet:fortiweb:7.0.0:*:*:*:*:*:*:*"
    ],
    "defaultStatus": "unaffected",
    "versions": [
      {
        "versionType": "semver",
        "version": "8.0.0",
        "lessThanOrEqual": "8.0.1",
        "status": "affected"
      },
      {
        "versionType": "semver",
        "version": "7.6.0",
        "lessThanOrEqual": "7.6.4",
        "status": "affected"
      },
      {
        "versionType": "semver",
        "version": "7.4.0",
        "lessThanOrEqual": "7.4.9",
        "status": "affected"
      },
      {
        "versionType": "semver",
        "version": "7.2.0",
        "lessThanOrEqual": "7.2.11",
        "status": "affected"
      },
      {
        "versionType": "semver",
        "version": "7.0.0",
        "lessThanOrEqual": "7.0.11",
        "status": "affected"
      }
    ]
  }
]

Source	Link
fortiguard	www.fortiguard.fortinet.com/psirt/FG-IR-25-910
github	www.github.com/watchtowrlabs/watchTowr-vs-Fortiweb-AuthBypass
cisa	www.cisa.gov/known-exploited-vulnerabilities-catalog

Parameter	Position	Path	Description	CWE
../../mkey	request body	api/v2.0/user/local.add	Authentication bypass via path traversal in mkey parameter during user creation	CWE-23
password	request body	api/v2.0/user/local.add	Authentication bypass via path traversal in mkey parameter during user creation	CWE-23
isadmin	request body	api/v2.0/user/local.add	Authentication bypass via path traversal in mkey parameter during user creation	CWE-23
status	request body	api/v2.0/user/local.add	Authentication bypass via path traversal in mkey parameter during user creation	CWE-23
username	request body	api/v2.0/login	Login endpoint vulnerable to credential-based bypass enabling subsequent exploitation	CWE-287
password	request body	api/v2.0/login	Login endpoint vulnerable to credential-based bypass enabling subsequent exploitation	CWE-287
upload-file	request body	api/v2.0/system/maintenance/backup	Arbitrary file upload via multipart form data used to drop a webshell	CWE-434
../../mkey	request body	api/v2.0/user/local.delete	Path traversal used to specify target admin for deletion, enabling cleanup after exploitation	CWE-23

17 Jun 2026 09:54Current

7High risk

Vulners AI Score7

CVSS 3.19.8

EPSS0.89526

SSVC