[Vulnerability Alert] Fortinet FortiWeb has a Critical Security Vulnerability (CVE-2025-64446)

• Subject: [Vulnerability Alert] Fortinet FortiWeb has a Critical Security Vulnerability (CVE-2025-64446)

• Content:
  • Forwarded from Taiwan Computer Emergency Response Team/Coordination Center Security Alert TWCERTCC-200-202511-00000013
  • Fortinet FortiWeb is a Web Application Firewall product that offers features including anomaly detection, API protection, bot mitigation, and advanced threat analysis.
  • Recently, Fortinet released a critical security vulnerability advisory (CVE-2025-64446, CVSS: 9.8). The vulnerability is a relative path traversal vulnerability that may allow an unauthenticated attacker to execute administrative commands on the system through specially crafted HTTP or HTTPS requests.
  • Note: Fortinet has observed attacks exploiting this vulnerability. It is recommended to immediately implement temporary mitigation measures to prevent potential attacks targeting this vulnerability.
• Affected Platforms:
  • FortiWeb versions 7.0.0 through 7.0.11
  • FortiWeb versions 7.2.0 through 7.2.11
  • FortiWeb versions 7.4.0 through 7.4.9
  • FortiWeb versions 7.6.0 through 7.6.4
  • FortiWeb versions 8.0.0 through 8.0.1
• Recommended Measures:
  • Please update to the following versions: FortiWeb version 7.0.12, FortiWeb version 7.2.12, FortiWeb version 7.4.10, FortiWeb version 7.6.5, or FortiWeb version 8.0.2.
• References:
  1. https://www.twcert.org.tw/tw/cp-169-10514-20142-1.html

Computer and Communications Center
Network Systems Group