CVE-2025-64446: Fortinet FortiWeb Path Traversal Exploitation
Detects exploitation attempts targeting CVE-2025-64446, a path traversal vulnerability (CWE-23) in Fortinet FortiWeb. This vulnerability allows attackers to traverse directory boundaries and access files outside the intended web root, potentially exposing sensitive configuration files, credentials, or system files. The vulnerability is listed in CISA KEV indicating active exploitation in the wild.
Vulnerability Intelligence
KEV — Known ExploitedAffected Software
- Vendor
- Fortinet
- Product
- FortiWeb
Weakness (CWE)
Timeline
- Disclosed
- November 14, 2025
References & Proof of Concept
CVSS
What is CVE-2025-64446 CVE-2025-64446: Fortinet FortiWeb Path Traversal Exploitation?
CVE-2025-64446: Fortinet FortiWeb Path Traversal Exploitation (CVE-2025-64446) maps to the Initial Access and Defense Evasion and Discovery tactics — the adversary is trying to get into your network in MITRE ATT&CK.
This page provides production-ready detection logic for CVE-2025-64446: Fortinet FortiWeb Path Traversal Exploitation, covering the data sources and telemetry it touches: Fortinet FortiWeb, CommonSecurityLog, Syslog. The queries below are rated critical severity at high confidence, and ship for 7 SIEM platforms — KQL, SPL, Elastic, QRadar, Sumo, YARA-L, LogScale.
MITRE ATT&CK
let traversalPatterns = dynamic(['../', '..\\', '%2e%2e%2f', '%2e%2e/', '..%2f', '%2e%2e%5c', '..../', '....\\', '%252e%252e', '..%252f']);
let sensitiveFiles = dynamic(['/etc/passwd', '/etc/shadow', 'web.config', 'config.json', 'fortiweb', '/proc/self', 'win.ini', 'boot.ini']);
CommonSecurityLog
| where DeviceVendor == "Fortinet" and DeviceProduct == "FortiWeb"
| where isnotempty(RequestURL) or isnotempty(Message)
| extend NormalizedURL = tolower(coalesce(RequestURL, ""))
| extend NormalizedMsg = tolower(coalesce(Message, ""))
| where (NormalizedURL has_any (traversalPatterns) or NormalizedMsg has_any (traversalPatterns))
or (NormalizedURL has_any (sensitiveFiles) or NormalizedMsg has_any (sensitiveFiles))
| extend TraversalDepth = countof(NormalizedURL, '../') + countof(NormalizedURL, '..%2f') + countof(NormalizedURL, '%2e%2e')
| extend RiskScore = case(
TraversalDepth >= 3, 90,
TraversalDepth == 2, 70,
TraversalDepth == 1, 50,
30)
| extend TargetsSensitiveFile = NormalizedURL has_any (sensitiveFiles) or NormalizedMsg has_any (sensitiveFiles)
| extend FinalScore = iff(TargetsSensitiveFile, RiskScore + 20, RiskScore)
| where FinalScore >= 50
| project TimeGenerated, DeviceVendor, DeviceProduct, SourceIP, DestinationIP, RequestURL, Message, TraversalDepth, TargetsSensitiveFile, FinalScore, Activity
| order by FinalScore desc, TimeGenerated descDetects path traversal exploitation attempts against Fortinet FortiWeb by monitoring CommonSecurityLog for URL patterns containing directory traversal sequences, including encoded variants. Scores requests by traversal depth and sensitivity of targeted files.
Data Sources
Required Tables
False Positives
- Legitimate security scanners or vulnerability assessment tools running authorized scans against FortiWeb
- Web application penetration testing engagements with FortiWeb as the target
- URL-encoded characters in legitimate file paths that superficially resemble traversal sequences
- Misconfigured proxies or load balancers that rewrite URLs with double-encoding
- Automated monitoring tools that include path components in health check URLs
Sigma rule & cross-platform mapping
The detection logic for CVE-2025-64446: Fortinet FortiWeb Path Traversal Exploitation (CVE-2025-64446) above is provided in a vendor-neutral
form so you can deploy it on any SIEM. The same logic is shipped here as native
KQL (Microsoft Sentinel / Defender), SPL (Splunk), Elastic (Elastic Security (EQL)), QRadar (IBM QRadar (AQL)), Sumo (Sumo Logic CSE), YARA-L (Google Chronicle / SecOps), LogScale (CrowdStrike LogScale (CQL)) queries. In Sigma terms, this detection targets the
following logsource:
logsource:
product: windowsBrowse the community-maintained Sigma rules for this technique:
Platform-specific guides for CVE-2025-64446
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Basic Path Traversal Against FortiWeb-Protected Endpoint
Expected signal: FortiWeb access log entry with the traversal URL, source IP, HTTP method GET, and either a 403 block response (if WAF in block mode) or 200/redirect if in monitor mode. SIEM should receive a CommonSecurityLog or syslog event within 60 seconds.
- Test 2URL-Encoded Path Traversal (Double Encoding)
Expected signal: Multiple FortiWeb log entries with percent-encoded URL paths. SIEM events should show the encoded traversal sequences in RequestURL or Message fields. Attack log should show WAF signature matches for each encoded variant.
- Test 3Traversal Targeting FortiWeb Configuration or Certificate Files
Expected signal: FortiWeb access and attack logs showing four separate requests targeting sensitive paths. Response codes expected to be 403 if blocking mode is active. SIEM should receive all four events and score the requests with TargetsSensitiveFile=true, raising FinalScore to critical threshold.
- Test 4Automated Traversal Fuzzing Simulation
Expected signal: Burst of 8 FortiWeb log events from the same source IP within 10 seconds, each containing traversal patterns. SIEM correlation rules should group these by source IP and escalate based on repeat attempts.
Unlock Pro Content
Get the full detection package for CVE-2025-64446 including response playbook, investigation guide, and atomic red team tests.