Fortinet FortiWeb Path Traversal Vulnerability
Release Date: 14th of November 2025
Impact : HIGH / CRITICAL
TLP Rating: Clear 
CERT Vanuatu (CERTVU) and the Department of Communication and Digital Transformation (DCDT) provide the following advisory.
This alert is relevant to Organizations and System/Network administrators that utilize the above products. This alert is intended to be understood by technical users and systems administrators.
What is it?
CVE-2025-64446 – is a relative path traversal + authentication bypass.
What are the Systems affected?
Product: Fortinet FortiWeb (web application firewall).
Affected :
- FortiWeb 8.0.0 – 8.0.1
- FortiWeb 7.6.0 – 7.6.4
- FortiWeb 7.4.0 – 7.4.9
- FortiWeb 7.2.0 – 7.2.11
- FortiWeb 7.0.0 – 7.0.11
What does this means?
How attackers exploit this vulnerability (attack vector)
Allows an unauthenticated remote attacker to execute administrative commands on FortiWeb, including creating new admin accounts, giving full control over the appliance.
Mitigation process
CERTVU recommend:
- Immediate Patching.
- Upgrade FortiWeb to a fixed version: e.g., 8.0.2 or higher for 8.x, and the equivalent in the 7.x branches.
References
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog
- https://www.cve.org/CVERecord?id=CVE-2025-64446
- Download advisory (English): Fortinet FortiWeb Path Traversal Vulnerability
- Download advisory (Bislama): Vulnerabiliti long saed blong Fortinet FortiWeb Path Traversal
- Download advisory (French): Vulnérabilité de type traversée de répertoires dans Fortinet FortiWeb