1.0 Introduction
Recently, Fortinet has released security advisory addressing a critical relative path traversal vulnerability (CVE-2025-64446) affecting multiple versions of its FortiWeb web application firewall (WAF) products.
2.0 Impact
Successful exploitation of this vulnerability allows an unauthenticated attacker to execute administrative commands on the affected system through specially crafted HTTP or HTTPS requests. This can lead to complete compromise of the FortiWeb management interface. Fortinet has confirmed that this vulnerability is actively being exploited in the wild.
3.0 Affected Products
| Product & Major Version |
Affected Versions |
|---|---|
| FortiWeb 8.0 | 8.0.0 – 8.0.1 |
| FortiWeb 7.6 | 7.6.0 - 7.6.4 |
| FortiWeb 7.4 | 7.4.0 - 7.4.9 |
| FortiWeb 7.2 | 7.2.0 - 7.2.11 |
| FortiWeb 7.0 | 7.0.0 - 7.0.11 |
4.0 Recommendations
CyberSecurity Malaysia encourages users and administrators to review the Fortinet Product Security Incident Response Team Advisories and apply necessary updates. Kindly refer to the following URL:
Generally, CyberSecurity Malaysia advise the users of the devices to be updated with the latest security announcements by the vendor and follow best practice security policies to determine which updates should be applied.
For further enquiries, please contact us through the following channels:
E-mail: cyber999[at]cybersecurity.my
Phone: 1-300-88-2999 (monitored during business hours)
Mobile: +60 19 2665850 (24x7 call incident reporting)
Business Hours: Mon - Fri 08:30 -17:30 MYT
Web:
https://www.cybersecurity.my
5.0 References