9.8 CVE-2025-64446

Path Traversal Exploit

A relative path traversal vulnerability in Fortinet FortiWeb 8.0.0 through 8.0.1, FortiWeb 7.6.0 through 7.6.4, FortiWeb 7.4.0 through 7.4.9, FortiWeb 7.2.0 through 7.2.11, FortiWeb 7.0.0 through 7.0.11 may allow an attacker to execute administrative commands on the system via crafted HTTP or HTTPS requests.
https://nvd.nist.gov/vuln/detail/CVE-2025-64446

Categories

CWE-23 : Relative Path Traversal
The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize sequences such as ".." that can resolve to a location that is outside of that directory. "Zip slip" is an attack that uses file archives (e.g., ZIP, tar, rar, etc.) that contain filenames with path traversal sequences that cause the files to be written outside of the directory under which the archive is expected to be extracted [REF-1282]. It is most commonly used for relative path traversal (CWE-23) and link following (CWE-59). Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.) Use an application firewall that can detect attacks against this weakness. It can be beneficial in cases in which the code cannot be fixed (because it is controlled by a third party), as an emergency prevention measure while more comprehensive software assurance measures are applied, or to provide defense in depth [REF-1481]. Large language model (LLM) management tool does notvalidate the format of a digest value (CWE-1287) from aprivate, untrusted model registry, enabling relativepath traversal (CWE-23), a.k.a. Probllama Product for managing datasets for AI model training and evaluation allows both relative (CWE-23) and absolute (CWE-36) path traversal to overwrite files via the Content-Disposition header Chain: a learning management tool debugger uses external input to locate previous session logs (CWE-73) and does not properly validate the given path (CWE-20), allowing for filesystem path traversal using "../" sequences (CWE-24) Python package manager does not correctly restrict the filename specified in a Content-Disposition header, allowing arbitrary file read using path traversal sequences such as "../" directory traversal in Go-based Kubernetes operator app allows accessing data from the controller's pod file system via ../ sequences in a yaml file a Kubernetes package manager written in Go allows malicious plugins to inject path traversal sequences into a plugin archive ("Zip slip") to copy a file outside the intended directory Chain: Cloud computing virtualization platform does not require authentication for upload of a tar format file (CWE-306), then uses .. path traversal sequences (CWE-23) in the file to access unexpected files, as exploited in the wild per CISA KEV. Go-based archive library allows extraction of files to locations outside of the target folder with "../" path traversal sequences in filenames in a zip file, aka "Zip Slip" Server allows remote attackers to cause a denial of service via certain HTTP GET requests containing a %2e%2e (encoded dot-dot), several "/../" sequences, or several "../" in a URI. "\" not in denylist for web server, allowing path traversal attacks when the server is run in Windows and other OSes. Arbitrary files may be read files via .. (dot dot) sequences in an HTTP request. Directory traversal vulnerability in search engine for web server allows remote attackers to read arbitrary files via "..\" sequences in queries. Directory traversal vulnerability in FTP server allows remote attackers to read arbitrary files via "..\" sequences in a GET request. Directory traversal vulnerability in servlet allows remote attackers to execute arbitrary commands via "..\" sequences in an HTTP request. Protection mechanism checks for "/.." but doesn't account for Windows-specific ".." allowing read of arbitrary files. Directory traversal vulnerability in FTP server allows remote authenticated attackers to list arbitrary directories via a ".." sequence in an LS command. The administration function in Access Control Server allows remote attackers to read HTML, Java class, and image files outside the web root via a "...." sequence in the URL to port 2002. "..." in web server "..." in cd command in FTP server "..." in cd command in FTP server "..." in cd command in FTP server read of arbitrary files and directories using GET or CD with "..." in Windows-based FTP server. read files using "." and Unicode-encoded "/" or "\" characters in the URL. Directory listing of web server using "..." Triple dot read files via "/........../" in URL read files via "...." in web server read files via "......" in web server (doubled triple dot?) read files via "......" in web server (doubled triple dot?) multiple attacks using "..", "...", and "...." in different commands "..." or "...." in chat server chain: ".../...//" bypasses protection mechanism using regexp's that remove "../" resulting in collapse into an unsafe value "../" (CWE-182) and resultant path traversal. ".../....///" bypasses regexp's that remove "./" and "../" Mail server allows remote attackers to create arbitrary directories via a ".." or rename arbitrary files via a "....//" in user supplied parameters.

References

134c704f-9b21-4f2e-91b3-4a467353bcc0 Exploit

https://github.com/watchtowrlabs/watchTowr-vs-Fortiweb-AuthBypass Exploit Third Party Advisory
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-20... US Government Resource

psirt@fortinet.com Exploit

https://fortiguard.fortinet.com/psirt/FG-IR-25-910 Vendor Advisory

CPE

cpe	start	end
Configuration 1
cpe:2.3:a:fortinet:fortiweb::::::::	>= 7.0.0	< 7.0.12
cpe:2.3:a:fortinet:fortiweb::::::::	>= 7.2.0	< 7.2.12
cpe:2.3:a:fortinet:fortiweb::::::::	>= 7.4.0	< 7.4.10
cpe:2.3:a:fortinet:fortiweb::::::::	>= 7.6.0	< 7.6.5
cpe:2.3:a:fortinet:fortiweb::::::::	>= 8.0.0	< 8.0.2

REMEDIATION

EXPLOITS

Exploit-db.com

id	description	date
No known exploits

POC Github

Url
No known exploits

Other Nist (github, ...)

Url
https://github.com/watchtowrlabs/watchTowr-vs-Fortiweb-AuthBypass

CAPEC

Common Attack Pattern Enumerations and Classifications

id	description	severity
139	Relative Path Traversal An attacker exploits a weakness in input validation on the target by supplying a specially constructed path utilizing dot and slash characters for the purpose of obtaining access to arbitrary files or resources. An attacker modifies a known path on the target in order to reach material that is not available through intended channels. These attacks normally involve adding additional path separators (/ or ) and/or dots (.), or encodings thereof, in various combinations in order to reach parent directories or entirely separate trees of the target's directory structure. [Fingerprinting of the operating system] In order to perform a valid path traversal, the adversary needs to know what the underlying OS is so that the proper file seperator is used. [Survey application] Using manual or automated means, an adversary will survey the target application looking for all areas where user input is taken to specify a file name or path. [Attempt variations on input parameters] Using manual or automated means, an adversary attempts varying relative file path combinations on all found user input locations and observes the responses. [Access, modify, or execute arbitrary files.] An adversary injects path traversal syntax into identified vulnerable inputs to cause inappropriate reading, writing or execution of files. An adversary could be able to read directories or files which they are normally not allowed to read. The adversary could also access data outside the web document root, or include scripts, source code and other kinds of files from external websites. Once the adversary accesses arbitrary files, they could also modify files. In particular situations, the adversary could also execute arbitrary code or system commands.	High
76	Manipulating Web Input to File System Calls An attacker manipulates inputs to the target software which the target software passes to file system calls in the OS. The goal is to gain access to, and perhaps modify, areas of the file system that the target software did not intend to be accessible. [Fingerprinting of the operating system] In order to create a valid file injection, the attacker needs to know what the underlying OS is so that the proper file seperator is used. [Survey the Application to Identify User-controllable Inputs] The attacker surveys the target application to identify all user-controllable inputs, possibly as a valid and authenticated user [Vary inputs, looking for malicious results] Depending on whether the application being exploited is a remote or local one, the attacker crafts the appropriate malicious input containing the path of the targeted file or other file system control syntax to be passed to the application [Manipulate files accessible by the application] The attacker may steal information or directly manipulate files (delete, copy, flush, etc.)	Very High

Cybersecurity needs ?

Strengthen software security from the outset with our DevSecOps expertise

Integrate security right from the start of the software development cycle for more robust applications and greater customer confidence.
Our team of DevSecOps experts can help you secure your APIs, data pipelines, CI/CD chains, Docker containers and Kubernetes deployments.

Discover this offer

Soutenez No Hack Me sur Tipeee