The Gatekeeper Compromised
Fortinet has released a high-priority security advisory regarding its Web Application Firewall (WAF) solution, FortiWeb. A critical vulnerability (identified as CVE-2025-64446) has been discovered that could allow an attacker to take full control of the device without needing a username or password.
The flaw is described as a Relative Path Traversal. By sending specifically crafted HTTP or HTTPS requests, a cybercriminal can bypass web directory restrictions and execute arbitrary commands on the underlying operating system with administrator privileges.
Affected Resources
The vulnerability affects a wide range of versions. If your infrastructure uses any of the following, it is at risk:
- FortiWeb 8.0: Versions 8.0.0 through 8.0.1.
- FortiWeb 7.6: Versions 7.6.0 through 7.6.4.
- FortiWeb 7.4: Versions 7.4.0 through 7.4.9.
- FortiWeb 7.2: Versions 7.2.0 through 7.2.11.
- FortiWeb 7.0: Versions 7.0.0 through 7.0.11.
Immediate Solution
Given the severity (rated Critical) and the potential for remote exploitation, it is recommended to apply security patches immediately. The secure versions to upgrade to are:
- 8.0 Branch: Update to 8.0.2 or higher.
- 7.6 Branch: Update to 7.6.5 or higher.
- 7.4 Branch: Update to 7.4.10 or higher.
- 7.2 Branch: Update to 7.4.10 or higher (Note: check release notes for upgrade path).
- 7.0 Branch: Update to 7.0.12 or higher.
This vulnerability highlights the critical importance of keeping not just servers updated, but also the perimeter security devices tasked with protecting them.
Source: INCIBE Security Notice