Executive Summary
In November 2025, Fortinet's FortiWeb product was found vulnerable to an actively exploited path traversal flaw, designated as CVE-2025-64446. Malicious actors leveraged this vulnerability to bypass web application security measures, gaining unauthorized access to sensitive files on the system. As a result, attackers could exfiltrate data and potentially escalate privileges, thereby putting organizations at significant risk of broader compromise. The flaw became a critical concern for organizations using FortiWeb, prompting immediate remediation actions to protect against ongoing attacks targeting US federal and private sector networks.
The incident highlights the growing trend of sophisticated exploitation of web application devices by threat actors. A surge in path traversal and similar vulnerabilities in critical infrastructure underscores the need for robust, proactive vulnerability management as required by directives like CISA BOD 22-01 and made clear by its inclusion in the Known Exploited Vulnerabilities Catalog.
Why This Matters Now
With threat actors actively exploiting CVE-2025-64446 in the wild, organizations face immediate risk of data theft and lateral movement within their networks. Prompt remediation is essential, as failure to patch exposed FortiWeb systems can result in regulatory non-compliance and severe operational disruption.
Attack Path Analysis
Adversaries exploited the FortiWeb Path Traversal vulnerability (CVE-2025-64446) to gain initial access to targeted web applications. After compromising the application, the attacker attempted to escalate privileges to access broader resources. Next, the attacker conducted lateral movement by pivoting to internal workloads or services within the cloud environment. Command and control channels were established using covert outbound communications to maintain persistence. Sensitive data was exfiltrated through outbound traffic. Finally, the attacker aimed to disrupt operations or facilitate further impact, such as deploying ransomware or deleting critical data.
Kill Chain Progression
Initial Compromise
Description
The attacker exploited the FortiWeb path traversal vulnerability (CVE-2025-64446) to gain unauthorized access to the exposed web application.
Related CVEs
CVE-2025-64446
CVSS 9.8A relative path traversal vulnerability in Fortinet FortiWeb versions 8.0.0 through 8.0.1, 7.6.0 through 7.6.4, 7.4.0 through 7.4.9, 7.2.0 through 7.2.11, and 7.0.0 through 7.0.11 may allow an attacker to execute administrative commands on the system via crafted HTTP or HTTPS requests.
Affected Products:
Fortinet FortiWeb – 8.0.0 through 8.0.1, 7.6.0 through 7.6.4, 7.4.0 through 7.4.9, 7.2.0 through 7.2.11, 7.0.0 through 7.0.11
Exploit Status:
exploited in the wildCVE-2025-53609
CVSS 7.2A relative path traversal vulnerability in Fortinet FortiWeb versions 7.6.0 through 7.6.4, 7.4.0 through 7.4.8, 7.2.0 through 7.2.11, and 7.0.2 through 7.0.11 may allow an authenticated attacker to perform an arbitrary file read on the underlying system via crafted requests.
Affected Products:
Fortinet FortiWeb – 7.6.0 through 7.6.4, 7.4.0 through 7.4.8, 7.2.0 through 7.2.11, 7.0.2 through 7.0.11
Exploit Status:
no public exploitCVE-2025-25254
CVSS 7.2An improper limitation of a pathname to a restricted directory ('path traversal') vulnerability in Fortinet FortiWeb versions 7.6.2 and below, 7.4.6 and below, 7.2 all versions, and 7.0 all versions may allow an authenticated admin to access and modify the filesystem via crafted requests.
Affected Products:
Fortinet FortiWeb – 7.6.2 and below, 7.4.6 and below, 7.2 all versions, 7.0 all versions
Exploit Status:
no public exploit
MITRE ATT&CK® Techniques
Exploit Public-Facing Application
External Remote Services
Network Sniffing
Data Obfuscation
Non-Standard Port
Phishing
Exploitation of Remote Services
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Address Identified Vulnerabilities
Control ID: 6.2.4
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: 500.03
DORA (Digital Operational Resilience Act) – ICT Risk Management Framework
Control ID: Article 8
CISA Zero Trust Maturity Model 2.0 – Continuous Vulnerability Management
Control ID: Asset Management - Vulnerability Management
NIS2 Directive – Addressing Vulnerabilities
Control ID: Article 21(2)d
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Government Administration
Federal agencies face direct mandate under BOD 22-01 to remediate CVE-2025-64446 Fortinet FortiWeb path traversal vulnerability by specified deadline.
Financial Services
Banking institutions using Fortinet FortiWeb face critical path traversal risks requiring immediate remediation to maintain PCI compliance and prevent data breaches.
Health Care / Life Sciences
Healthcare organizations must prioritize patching FortiWeb systems to prevent patient data exposure through path traversal attacks under HIPAA requirements.
Computer/Network Security
Cybersecurity providers using affected Fortinet infrastructure face reputational risks and must demonstrate rapid vulnerability management to maintain client trust.
Sources
- CISA Adds One Known Exploited Vulnerability to Cataloghttps://www.cisa.gov/news-events/alerts/2025/11/14/cisa-adds-one-known-exploited-vulnerability-catalogVerified
- Fortinet Security Advisory FG-IR-25-910https://fortiguard.fortinet.com/psirt/FG-IR-25-910Verified
- NVD - CVE-2025-64446https://nvd.nist.gov/vuln/detail/CVE-2025-64446Verified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Zero Trust segmentation, microsegmentation, inline IPS, and strict egress policy enforcement would have greatly constrained attacker movement, detected malicious activity at key points, and limited exfiltration risks. Visibility, encrypted traffic controls, and real-time anomaly detection ensure early detection and response across the cloud environment.
Control: Cloud Firewall (ACF) + Inline IPS (Suricata)
Mitigation: Malicious exploit traffic to the web application would be blocked or detected at the perimeter.
Control: Zero Trust Segmentation
Mitigation: Movement from the web application to privileged resources is denied by microsegmentation policies.
Control: East-West Traffic Security
Mitigation: Unauthorized internal communications are monitored and blocked, containing lateral spread.
Control: Egress Security & Policy Enforcement
Mitigation: Unapproved or anomalous outbound command and control traffic is detected and prevented.
Control: Threat Detection & Anomaly Response + Encrypted Traffic (HPE)
Mitigation: Suspicious outbound data transfers are detected and can be blocked in real time.
Rapid detection and segmented isolation limits system and data destruction.
Impact at a Glance
Affected Business Functions
- Web Application Security
- Network Security Management
Estimated downtime: 3 days
Estimated loss: $50,000
Potential exposure of sensitive configuration files and administrative credentials due to unauthorized command execution.
Recommended Actions
Key Takeaways & Next Steps
- • Immediately apply virtual patching and inline IPS protections for KEV CVEs such as CVE-2025-64446 across all cloud workloads.
- • Enforce Zero Trust Segmentation and microsegmentation to strictly limit east-west and workload-to-workload network flows.
- • Deploy egress filtering and outbound policy enforcement to block unauthorized external communications and exfiltration attempts.
- • Continuously monitor cloud, hybrid, and multicloud environments for anomalies and leverage real-time threat detection and distributed policy enforcement.
- • Prioritize least-privilege access, centralized visibility, and automated response workflows as foundational elements of a cloud-native security strategy.
