- 250/2025
- Critical
Fortinet has released a security update to fix a critical vulnerability in FortiWeb.
The addressed vulnerability could allow the remote attacker to execute administrative commands via crafted HTTP or HTTPS requests, and take over admin accounts and completely compromise the affected systems.
FortiWeb GUI Path Confusion Vulnerability (CVE-2025-64446):
- CVSS: 9.1
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Consequences: Gain Privileges
It should be highlighted that Fortinet is aware that the vulnerability “CVE-2025- 64446” has a proof-of-concept (PoC) exploit in the wild.
Sample of the affected products:
- FortiWeb 8.0 through 8.0.1.
- FortiWeb 7.6 through 7.6.4.
- FortiWeb 7.4 through 7.4.9.
- FortiWeb 7.2 through 7.2.11.
- FortiWeb 7.0 through 7.0.11.
Vulnerabilities
CVE-2025-64446
Mitigations
The enterprise should deploy this patch as soon as the testing phase is completed.