Full Report
U.S. government agencies have been given a shorter window than usual to patch a critical vulnerability affecting Fortinet's FortiWeb firewall product.
Analysis Summary
# Vulnerability: FortiWeb Relative Path Traversal Leading to Admin Account Creation
## CVE Details
- CVE ID: CVE-2025-64446
- CVSS Score: 9.1 (Critical)
- CWE: Not explicitly named, but described as a Relative Path Traversal leading to authentication bypass/privilege escalation.
## Affected Systems
- Products: Fortinet FortiWeb (Web Application Firewall)
- Versions: Versions prior to 8.0.2 are confirmed vulnerable. Newer versions appear to be patched (see Remediation).
- Configurations: Affects internet-facing interfaces if HTTP/HTTPS is enabled.
## Vulnerability Description
This is a critical vulnerability described as a **Relative Path Traversal** flaw within FortiWeb. Successful exploitation allows an unauthenticated attacker to bypass authentication and gain **administrator-level access** to the FortiWeb Manager panel. The primary observed exploitation activity involves adding a new administrator account for persistence.
## Exploitation
- Status: **Exploited in the wild** (Confirmed by CISA and security researchers).
- Complexity: Low (Implied by initial reports and wide-scale observation).
- Attack Vector: Network (Remote, unauthenticated).
## Impact
- Confidentiality: High (Gaining admin access allows viewing/exfiltration of configuration and potentially traffic logs).
- Integrity: High (Ability to modify firewall rules, settings, and add persistent accounts).
- Availability: Medium (Potential for configuration disruption, though primary goal seems to be persistence).
## Remediation
### Patches
- Fortinet issued an advisory recommending upgrades to patched versions.
- **Patched Version:** Fortinet FortiWeb **8.0.2** and later versions are confirmed to fix the vulnerability.
### Workarounds
- If immediate upgrading is not possible, CISA warns users to **disable HTTP or HTTPS** for internet-facing interfaces.
## Detection
- **Indicators of Compromise (IoC):** Look for unexpected changes in administrative user accounts or unexpected network/firewall rule modifications on the FortiWeb Manager panel.
- **Detection Methods and Tools:** WatchTowr released a **Detection Artefact Generator** to help defenders identify vulnerable remote hosts. Defenders should monitor access logs for anomalous administrative activity originating over HTTP/HTTPS connections to the management interface.
## References
- Vendor Advisory: fthttps://fortiguard.fortinet.com/psirt/FG-IR-25-910 (Defanged)
- CISA Alert: fttps://www.cisa.gov/news-events/alerts/2025/11/14/cisa-adds-one-known-exploited-vulnerability-catalog (Defanged)
- Researcher Analysis (WatchTowr): fttps://labs.watchtowr.com/when-the-impersonation-function-gets-used-to-impersonate-users-fortinet-fortiweb-auth-bypass/ (Defanged)