A critical vulnerability in Fortinet’s FortiWeb web application firewall (WAF) is now under active exploitation, according to a new alert from the U.S. Cybersecurity and Infrastructure Security Agency (CISA). The flaw, identified as CVE-2025-64446 with a CVSS score of 9.1, has been added to CISA’s Known Exploited Vulnerabilities (KEV) catalog—a key indicator that federal civilian agencies and other organizations must address it immediately.
Vulnerability Details Highlight Serious Risk of Unauthorized File Access
Fortinet FortiWeb version 8.0.0 harbors a relative path traversal vulnerability, allowing unauthenticated attackers to read arbitrary files on the underlying system. The traversal flaw arises from improper validation of user-supplied input in HTTP requests, exposing internal system paths to manipulation.
Technical Breakdown of CVE-2025-64446 and Attack Vectors
The vulnerability stems from the failure to sanitize directory traversal patterns such as `../` in web requests. This can give attackers the ability to move outside the intended file directory scope—potentially accessing sensitive configuration files, session tokens, or system credentials.
Key technical attributes of CVE-2025-64446 include:
- Affected Version : FortiWeb 8.0.0
- Access Vector : Remote
- Attack Complexity : Low
- Authentication Requirement : None
- Potential Impact : Unauthorized file disclosure
By crafting malicious HTTP GET or POST requests containing traversal sequences, adversaries can exploit this flaw without logging into the system. This capability increases the attack surface significantly, especially for unpatched public-facing FortiWeb deployments.
CISA Adds CVE-2025-64446 to KEV Catalog and Requires Federal Action
Inclusion in the Known Exploited Vulnerabilities catalog signals that CVE-2025-64446 has moved beyond theoretical threat and is observed in active attack campaigns.
What KEV Catalog Inclusion Means for Organizations
Being listed in the KEV catalog aligns with CISA’s prioritization framework for vulnerabilities that pose the most risk to federal networks. CISA’s announcement should prompt similar urgency across private enterprises and critical infrastructure providers, particularly those within regulated sectors such as finance, healthcare, and energy.
“CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of vulnerabilities listed in the KEV catalog,” the agency noted in its advisory.
Failure to remediate on time could expose enterprise assets to opportunistic exploitation, lateral movement, and potential data exfiltration.
Fortinet Has Released Patches and Urges Swift Deployment
Following the disclosure, Fortinet has issued security updates addressing the vulnerability in relevant FortiWeb versions. Users are advised to upgrade to patched versions immediately, especially if FortiWeb is exposed to the internet or deployed in sensitive network segments.
Mitigation Steps for Administrators and Defenders
Administrators should take immediate steps to safeguard their FortiWeb deployments:
- Upgrade to the latest patched firmware provided by Fortinet.
- Restrict access to FortiWeb interfaces through internal firewalls where possible.
- Monitor HTTP request logs for suspicious URL patterns containing directory traversal sequences such as `../`.
- Leverage web application firewall (WAF) rules to detect and block traversal attempts.
- Perform vulnerability scans regularly to ensure patches are correctly applied.
Larger Implications for Web Application Security
The exploitation of CVE-2025-64446 adds to the growing list of actively targeted web application security flaws in widely deployed enterprise appliances. As adversaries increasingly automate scanning for gateway and perimeter vulnerabilities, flaws with low complexity and high impact, such as this one, rise to the top of attack chains.
Security teams should treat web application firewall (WAF) misconfigurations and zero-day vulnerabilities as high-priority risk factors. The Fortinet FortiWeb flaw demonstrates that even security-focused appliances are vulnerable if not properly maintained and updated.
Conclusion: Critical Time Window for Remediation
With CISA confirming real-world exploitation of CVE-2025-64446, organizations must act immediately to patch and mitigate. The combination of unauthenticated remote access and potential data exposure gives attackers low-friction paths to breach networks. System administrators and defenders across public and private sectors should verify FortiWeb patch levels today—and keep a close eye on log activity in the days and weeks ahead.
