FortiWeb Authentication Bypass (CVE-2025-64446)
Description
FortiWeb versions 7.6.0, 7.4.0 through 7.4.5, 7.2.0 through 7.2.11, 7.0.0 through 7.0.10, and 6.4 all versions contain a path confusion vulnerability (CWE-23) in the web-based GUI. This critical flaw allows remote, unauthenticated attackers to bypass authentication mechanisms by manipulating URL paths to access administrative functionality. Attackers can exploit the built-in user impersonation feature through crafted path traversal requests, gaining unauthorized administrative access without valid credentials.
Remediation
Apply vendor-provided security updates immediately by upgrading to a patched version: FortiWeb 7.6.1 or later, FortiWeb 7.4.6 or later, FortiWeb 7.2.12 or later, or FortiWeb 7.0.11 or later. Organizations unable to patch immediately should implement the following interim mitigations:<br/><br/>1. Restrict management interface access to trusted IP addresses only using firewall rules or access control lists<br/>2. Disable remote administrative access if not required and use out-of-band management networks<br/>3. Monitor authentication logs for suspicious administrative access patterns or unexpected user impersonation events<br/>4. Review all administrative accounts and recent configuration changes for signs of compromise<br/><br/>After patching, conduct a thorough security audit of the device configuration and review logs for any indicators of exploitation during the vulnerable period.