How to Fix CVE-2025-64446: Fortinet FortiWeb Relative Path Traversal
*By Sai Kiran Pandrala*
| Severity | CVSS 9.4, Critical |
|---|---|
| Actively exploited? | Yes, listed in CISA KEV |
| Affected | Fortinet FortiWeb 8.0.x, see PSIRT advisory for exact ranges |
| Fixed in | See PSIRT advisory for patched FortiWeb build |
| Type (CWE) | Relative Path Traversal |
⚠️ Patch immediately. Path traversal on a WAF lets the attacker read configuration files and policy data, then use what's revealed for deeper attacks.
What is CVE-2025-64446?
A relative path traversal vulnerability in Fortinet FortiWeb 8.0.x lets an attacker access files outside the intended directory via crafted request paths. The vulnerable code path is in the FortiWeb management interface.
Am I affected?
You are affected if you run Fortinet FortiWeb 8.0.x at any build below the patched version in the PSIRT advisory.
Check version: get system status.
How to fix CVE-2025-64446
- Open the Fortinet PSIRT advisory.
- Download the patched FortiWeb firmware.
- For HA pairs, upgrade secondary first.
- Apply firmware via GUI or CLI. Reboot. Verify version.
Upgrade FortiOS / FortiGate to the patched release
# Verify the running build
get system status | grep -i version
# Target FortiOS build is listed in the Fortinet advisory: https://fortiguard.fortinet.com/psirt/FG-IR-25-910
execute restore image tftp <patched-image>.out <tftp-server-ip>
# The firewall reboots automatically. Re-check version after reboot.
get system status | grep -i version
Verify the fix landed
# 1. Confirm the running version matches the fixed-in version from the advisory:
# https://fortiguard.fortinet.com/psirt/FG-IR-25-910
# Use the platform-specific version probe above.
# 2. Re-scan with your vulnerability scanner (Nessus, Qualys, Tenable, OpenVAS).
# The scanner should no longer flag CVE-2025-64446 on the patched target.
# 3. Inspect recent service / kernel logs for crash loops or rollback events.
journalctl -u <service> --since "10 minutes ago"
dmesg --since "10 minutes ago"
If you can't patch immediately
Restrict FortiWeb management interface access via Trusted Hosts to a small administrative subnet.
How to verify the fix worked
get system status shows the patched build. Run a vulnerability scan against the management interface.
Frequently asked questions
Is CVE-2025-64446 actively exploited?
Yes. CVE-2025-64446 is on the CISA Known Exploited Vulnerabilities catalog, so federal civilian agencies are required to patch on the published deadline. Most enterprises treat the same date as the practical floor.
What is the CVSS severity of CVE-2025-64446?
Critical. See the advisory for the full CVSS vector.
Where can I read the official advisory?
See https://www.fortiguard.com/psirt
Does the patch require a reboot?
It depends on the deployment. Service-only updates usually need a service restart; OS-level fixes require a full reboot. Check the vendor release notes for the exact post-upgrade steps.
References
- Official Fortinet PSIRT: https://www.fortiguard.com/psirt
- NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-64446
- CISA KEV catalog entry: https://www.cisa.gov/known-exploited-vulnerabilities-catalog
*This guide was assembled from the Fortinet PSIRT advisory, NVD record, and CISA KEV listing on 2026-05-25. Always confirm against Fortinet's advisory before applying changes in production.*
Related fixes
Other vulnerabilities in the same area that are worth patching alongside this one:
- How to Fix CVE-2025-25257: Fortinet FortiWeb SQL Injection — Fortinet FortiWeb SQL Injection
- How to Fix CVE-2025-32756: Fortinet FortiVoice/FortiMail/FortiCamera Stack Buffer Overflow — Fortinet FortiVoice/FortiMail/FortiCamera Stack Buffer Overflow
- How to Fix CVE-2025-24472: Authentication Bypass in FortiProxy , Authentication Bypass in FortiProxy
- How to Fix CVE-2025-25256: FortiSIEM (Bundle Sibling) , FortiSIEM (Bundle Sibling)
- How to Fix CVE-2025-59718: Access Control Bypass in FortiSwitchManager , Access Control Bypass in FortiSwitchManager