Critical FortiWeb WAF Vulnerability Exploited in Active Attacks
The Cybersecurity and Infrastructure Security Agency (CISA) has issued an urgent alert regarding a critical vulnerability in Fortinet’s FortiWeb Web Application Firewall (WAF). This flaw, identified as CVE-2025-64446, is actively being exploited by threat actors to gain administrative control over affected systems.
Understanding CVE-2025-64446
CVE-2025-64446 is a relative path traversal vulnerability (CWE-23) present in multiple versions of FortiWeb. This security flaw allows unauthenticated attackers to execute arbitrary administrative commands by sending specially crafted HTTP or HTTPS requests. The vulnerability affects FortiWeb versions up to 7.4.7 and 7.6.5.
Implications of the Vulnerability
Exploitation of this vulnerability can lead to complete system compromise, unauthorized data access, and potential deployment of malware. While there is no confirmed link to ransomware campaigns, real-world exploitation has been observed, particularly targeting sectors such as finance and healthcare.
Technical Details
The vulnerability arises from improper handling of file paths within the FortiWeb management interface. By manipulating the file path, attackers can bypass authentication mechanisms and execute commands with administrative privileges. This type of flaw is particularly dangerous as it allows remote code execution without requiring prior authentication.
Mitigation Measures
Fortinet has released patches to address this vulnerability. Users are strongly advised to update their FortiWeb devices to the latest versions, such as 7.4.8 or 7.6.6. Additionally, restricting administrative access through network segmentation can help mitigate potential exploitation.
Recommendations for Organizations
1. Immediate Patching: Apply the latest security updates provided by Fortinet to remediate the vulnerability.
2. Access Control: Restrict administrative access to FortiWeb devices by implementing network segmentation and limiting exposure to the internet.
3. Monitoring: Continuously monitor network traffic and system logs for unusual activities that may indicate exploitation attempts.
4. Incident Response: Develop and maintain an incident response plan to address potential breaches promptly.
Conclusion
The active exploitation of CVE-2025-64446 underscores the critical importance of timely vulnerability management and proactive security measures. Organizations utilizing FortiWeb WAFs must prioritize patching and implement robust access controls to safeguard their systems against potential attacks.
