Fortinet has confirmed the discovery of a critical relative path vulnerability (CWE-23) in FortiWeb devices, identified as CVE-2025-64446 and registered as IR Number FG-IR-25-910 .
The flaw, published on November 14, 2025, primarily affects the GUI management interface and allows an unauthenticated attacker to execute administrative commands via manipulated HTTP or HTTPS requests. The vulnerability is classified as critical, with a CVSSv3 score of 9.1, and the primary risk is inadequate access control, which could lead to severe system compromise.
According to Fortinet, the vulnerability has already been exploited in real-world scenarios, increasing the urgency of taking corrective measures. Unauthorized access to FortiWeb devices could allow attackers to gain full administrative control, potentially resulting in serious consequences for corporate network security.
Vulnerable FortiWeb versions and recommended updates are:
| Version | Affected | Solution |
|---|---|---|
| FortiWeb 8.0 | 8.0.0 through 8.0.1 | Upgrade to 8.0.2 or above |
| FortiWeb 7.6 | 7.6.0 through 7.6.4 | Upgrade to 7.6.5 or above |
| FortiWeb 7.4 | 7.4.0 through 7.4.9 | Upgrade to 7.4.10 or above |
| FortiWeb 7.2 | 7.2.0 through 7.2.11 | Upgrade to 7.2.12 or above |
| FortiWeb 7.0 | 7.0.0 through 7.0.11 | Upgrade to 7.0.12 or above |
As a temporary measure, Fortinet recommends disabling HTTP and HTTPS access on internet-facing interfaces. If HTTP/HTTPS access is limited to internal networks, as per security best practices, the risk of exploiting the vulnerability is significantly reduced. This solution allows for temporary mitigation of the threat until corrective updates are installed.
After the update, system administrators should carefully review device configurations and analyze logs to identify any unauthorized changes or the creation of suspicious administrative accounts. These audits are essential to ensure any previous compromise attempts are detected and remediated.
Fortinet has also made update packages available in CVRF and CSAF formats for structured vulnerability management. The company urges all customers to take action promptly, given the critical severity of the flaw, its presence in real-world exploitation scenarios, and its inclusion in the CISA KEV catalog.
It’s not recommended to make the administration interfaces of devices like FortiWeb accessible over the internet. Even with updates available or authentication systems implemented, the risk remains high: a patch may not yet be applied, or the authentication may contain vulnerabilities .
Exposing the GUI publicly exposes the entire company to potential attacks, including automated ones, making the system vulnerable to critical compromises. The cardinal rule of network device security is that administrative access should always be limited to secure internal networks and never made directly public.
Reduce exposure: this is the key to success.
Follow us on Google News to receive daily updates on cybersecurity. Contact us if you would like to report news, insights or content for publication.
