FortiWeb Authentication Bypass (CVE-2025-64446)
Description
FortiWeb versions 7.6.0, 7.4.0 through 7.4.5, 7.2.0 through 7.2.11, 7.0.0 through 7.0.10, and 6.4 all versions contain a path confusion vulnerability (CWE-23) in the web-based GUI. This critical flaw allows remote, unauthenticated attackers to bypass authentication mechanisms by manipulating URL paths to access administrative functionality. Attackers can exploit the built-in user impersonation feature through crafted path traversal requests, gaining unauthorized administrative access without valid credentials.
Remediation
Apply vendor-provided security updates immediately by upgrading to a patched version: FortiWeb 7.6.1 or later, FortiWeb 7.4.6 or later, FortiWeb 7.2.12 or later, or FortiWeb 7.0.11 or later. Organizations unable to patch immediately should implement the following interim mitigations:
1. Restrict management interface access to trusted IP addresses only using firewall rules or access control lists
2. Disable remote administrative access if not required and use out-of-band management networks
3. Monitor authentication logs for suspicious administrative access patterns or unexpected user impersonation events
4. Review all administrative accounts and recent configuration changes for signs of compromise
After patching, conduct a thorough security audit of the device configuration and review logs for any indicators of exploitation during the vulnerable period.