1. Executive Summary
Two Fortinet FortiWeb vulnerabilities — CVE-2025-64446 (relative path traversal enabling unauthenticated administrative command execution) and CVE-2025-58034 (OS command injection enabling authenticated code execution) — were disclosed in November 2025 and have been reported as actively exploited. (NVD)
The highest-risk condition is internet-exposed FortiWeb management interfaces, where exploitation can lead to administrative takeover and follow-on execution. (NHS England Digital)
UK defenders should treat this as an urgent perimeter-hardening and patching event, prioritising exposed WAF management planes and auditing for unauthorised administrator creation and suspicious management-plane requests. (NHS England Digital)
2. Contextual Background
2.1 Nature of the threat
- CVE-2025-64446 — Relative path traversal in FortiWeb that may allow an attacker to execute administrative commands via crafted HTTP/HTTPS requests.
- CVE-2025-58034 — OS command injection in FortiWeb that may allow an authenticated attacker to execute unauthorised code via crafted HTTP requests or CLI commands.
2.2 Threat-actor attribution (confidence)
No confirmed named threat actor attribution is present in primary-source reporting available in the referenced advisories and national-level alerts. Current evidence best fits opportunistic exploitation of exposed management planes, with some reporting suggesting “mass exploitation” for CVE-2025-64446. Confidence: Possible. (NHS England Digital)
2.3 Sector and geographic targeting
FortiWeb is deployed as a web application firewall across sectors operating internet-facing applications (e.g., financial services, government, healthcare, SaaS). Risk concentrates where the management interface is reachable from the internet rather than constrained to administrative networks. (Rapid7)
3. Technical Analysis
3.1 Vulnerability and TTP details (MITRE ATT&CK mapped)
CVE-2025-64446 (relative path traversal / auth bypass-to-admin actions)
Open reporting describes exploitation using crafted requests to FortiWeb API paths consistent with management-plane abuse (example path observed in defensive reporting includes traversal into cgi-bin/fwbcgi). (Arctic Wolf)
Likely ATT&CK techniques:
- Initial access via public-facing management surface: T1190
- Privilege and persistence via account manipulation / creation: T1136
- Use of management interfaces / web APIs for admin actions: T1071.001 (as a behavioural analogue for web-based C2/interaction)
CVE-2025-58034 (OS command injection / authenticated execution)
Fortinet/NVD describe an OS command injection weakness enabling an authenticated attacker to execute unauthorised code via crafted HTTP requests or CLI commands. (NVD)
Likely ATT&CK techniques:
3.2 Exploitation status
- CVE-2025-64446: National-level defensive reporting states researchers observed mass exploitation in the wild, with additional notes referencing exploitation observed earlier in 2025. (NHS England Digital)
- CVE-2025-58034: NHS reporting states Fortinet has reported exploitation and notes addition to the US KEV catalogue. (NHS England Digital)
- Rapid7 also reports Fortinet indicated in-the-wild exploitation for CVE-2025-58034 and highlights uncertainty about whether both were used together as a chain. (Rapid7)
Public PoC / exploit discussion: Defensive and community reporting references publicly available exploit artefacts for CVE-2025-64446 (and suspected chaining). Treat widespread scanning and exploitation as likely where appliances are exposed. (Rapid7)
4. Impact Assessment
4.1 Severity and scope
- CVE-2025-64446: Fortinet CNA CVSS v3.1 base score 9.8 (Critical), network exploitable with no privileges required. (NVD)
- CVE-2025-58034: Fortinet CNA CVSS v3.1 base score 7.2 (High), requiring authentication (PR:H in the published vector). (NVD)
Potential impacts include:
- Unauthorised FortiWeb administrative control, configuration tampering, credential/session theft, and potential pivoting into adjacent environments where FortiWeb integrates with other systems. (NVD)
4.2 Victim profile
Highest likelihood of compromise:
- Organisations with internet-reachable FortiWeb management interfaces (HTTP/HTTPS admin access). (Rapid7)
- Environments where admin credentials are reused, exposed, or where an attacker can obtain authentication then leverage CVE-2025-58034 for execution. (NVD)
5. Indicators of Compromise (IOCs)
5.1 Public IOCs table
At time of writing, the primary sources referenced here focus on vulnerability and remediation and do not provide a stable, vendor-confirmed list of malicious IPs/domains/hashes suitable for a high-confidence IOC feed. Where open reporting includes single-purpose PoC strings/paths, these are better treated as detection artefacts rather than attribution-grade IOCs. (NHS England Digital)
| Type | Value | Context/Notes | Source |
|---|---|---|---|
| HTTP Request Path (artefact) | .../cgi-bin/fwbcgi (via traversal into management CGI) | Defensive reporting describes exploitation patterns that traverse into FortiWeb CGI to perform admin actions. Implement as a hunt/detection artefact in reverse proxy/WAF logs (not a standalone IOC). | Arctic Wolf bulletin on CVE-2025-64446 (Arctic Wolf) |
| Behavioural Indicator | New / unexpected FortiWeb admin users | Reported exploitation includes creation of new administrative accounts on exposed devices. Correlate with config changes and admin audit logs. | Rapid7 ETR (Rapid7) |
| Behavioural Indicator | Unusual management-plane POSTs to FortiWeb API endpoints | Prioritise requests from untrusted IP space to management endpoints, especially around disclosure windows and after patching. | NHS CC-4717 (NHS England Digital) |
5.2 Detection guidance (practical)
Log sources to prioritise
- FortiWeb administrative audit logs (admin creation, role changes, policy/export events).
- Web server / reverse proxy logs in front of FortiWeb management interfaces (if any).
- Network telemetry for inbound management-plane traffic (HTTP/HTTPS) from the internet.
Hunting ideas
- Search for traversal-like request patterns and access to management CGI endpoints, including references to
fwbcgi. (Arctic Wolf) - Alert on any new local admin account creation, especially followed by interactive management actions or CLI/websocket usage (where logged). (Rapid7)
- For CVE-2025-58034, monitor for anomalous admin CLI activity and HTTP requests consistent with command injection attempts, particularly from recently authenticated sessions that are unusual for the account. (NVD)
6. Incident Response Guidance
6.1 Containment, eradication, recovery
- Immediately restrict/disable internet access to FortiWeb management interfaces (HTTP/HTTPS admin). This is explicitly recommended as a workaround when immediate upgrading is not possible. (Rapid7)
- Patch/upgrade to fixed versions (see Section 8). (Rapid7)
- Rotate credentials for FortiWeb admin accounts and any downstream systems whose secrets may be stored on or accessible from the appliance (keys, integrations, backups).
- Review configuration integrity (policies, allowed management IPs, admin accounts, LDAP/RADIUS bindings, API tokens).
- If compromise is suspected: isolate the device, acquire forensic artefacts, and consider rebuild/redeploy from known-good configuration baselines.
6.2 Forensic artefacts to collect and preserve
- Admin audit logs and configuration change history (pre/post patch window).
- Full HTTP access logs to management interfaces (where available).
- Device configuration export (handle as sensitive—may contain credentials/keys).
- Authentication logs for admin and API access (local and federated).
6.3 Lessons learned / preventive recommendations
- Treat WAF appliances as tier-0 infrastructure: isolate management planes, enforce MFA where possible, and centralise logging.
- Implement external exposure monitoring for management ports and certificates.
7. Threat Intelligence Contextualisation
7.1 Similar past incidents
Defensive reporting notes FortiWeb vulnerabilities have been exploited previously and highlights the likelihood of follow-on targeting due to product placement and integration. (Arctic Wolf)
7.2 ATT&CK mapping table (observed / likely)
| Tactic | Technique ID | Technique Name | Observed Behaviour |
|---|---|---|---|
| Initial Access | T1190 | Exploit Public-Facing Application | Exploitation of exposed FortiWeb management services via crafted HTTP/HTTPS requests. (NHS England Digital) |
| Persistence | T1136 | Create Account | Reports describe creation of new administrative users during exploitation of CVE-2025-64446. (Rapid7) |
| Execution | T1059 | Command and Scripting Interpreter | OS command execution via command injection (CVE-2025-58034) once authenticated. (NVD) |
| Command & Control / Admin Interaction | T1071.001 | Web Protocols | Abuse of web management protocols/endpoints for control and follow-on actions (behavioural mapping). (Rapid7) |
8. Mitigation Recommendations
8.1 Hardening and configuration
- Remove internet exposure of FortiWeb management interfaces; restrict by allowlist/VPN/bastion.
- Enforce strong admin authentication controls and monitor admin activity continuously.
- Centralise logs to SIEM and alert on admin creation/config export.
8.2 Patch management (prioritised)
Priority 1 (immediate): CVE-2025-64446 (9.8 Critical)
- Upgrade to fixed versions: 8.0.2, 7.6.5, 7.4.10, 7.2.12, 7.0.12. (Rapid7)
- Interim workaround where upgrading is delayed: disable HTTP/HTTPS on internet-facing interfaces (management plane). (Rapid7)
Priority 2: CVE-2025-58034 (7.2 High; exploited)
- Upgrade to fixed versions (per national alerting): 8.0.2, 7.6.6, 7.4.11, 7.2.12, 7.0.12. (NHS England Digital)
9. Historical Context & Related Vulnerabilities
- This activity follows a broader pattern of rapid exploitation of perimeter security appliances after disclosure, particularly where management planes are exposed. NHS reporting explicitly frames CVE-2025-64446 as “mass exploitation” and assesses further exploitation as highly likely. (NHS England Digital)
10. Future Outlook
10.1 Emerging trends
- Expect continued automated scanning for exposed FortiWeb management interfaces and opportunistic exploitation where patching lags. (NHS England Digital)
10.2 Predicted shifts
- Likely evolution toward credentialed follow-on abuse (leveraging any foothold to meet the auth requirement for CVE-2025-58034), plus broader post-exploitation tradecraft (credential theft, config tampering, lateral movement). (NVD)
11. Further Reading
Vendor / vulnerability records
- Fortinet Advisory for CVE-2025-64446 (FG-IR-25-910)
- NVD: CVE-2025-64446 (NVD)
- Fortinet Advisory for CVE-2025-58034 (FG-IR-25-513)
- NVD: CVE-2025-58034 (NVD)
National / defensive reporting
- NHS England: Fortinet FortiWeb Path Traversal Vulnerability Under Zero-Day Exploitation (CC-4717) (NHS England Digital)
- NHS England: Exploitation of Fortinet FortiWeb Vulnerability CVE-2025-58034 (CC-4720) (NHS England Digital)
- Rapid7 ETR: Critical Vulnerability in Fortinet FortiWeb Exploited in the Wild (Rapid7)
- Arctic Wolf: CVE-2025-64446 bulletin (Arctic Wolf)