CVE-2025-64446 Elastic Security · Elastic

Detect CVE-2025-64446: Fortinet FortiWeb Path Traversal Exploitation in Elastic Security

Detects exploitation attempts targeting CVE-2025-64446, a path traversal vulnerability (CWE-23) in Fortinet FortiWeb. This vulnerability allows attackers to traverse directory boundaries and access files outside the intended web root, potentially exposing sensitive configuration files, credentials, or system files. The vulnerability is listed in CISA KEV indicating active exploitation in the wild.

MITRE ATT&CK

Tactic
Initial Access Defense Evasion Discovery

Elastic Detection Query

Elastic Security (Elastic)
eql 
sequence by source.ip with maxspan=5m
  [network where event.dataset == "fortinet.fortiWeb" and
   (
     url.original : ("*../*", "*..\\*", "*%2e%2e%2f*", "*%2e%2e/*", "*..%2f*", "*%2e%2e%5c*", "*%252e%252e*", "*..../*") or
     url.path : ("*../*", "*..\\*", "*%2e%2e%2f*", "*..%2f*")
   )
  ] with runs=2
critical severity medium confidence

EQL sequence detection for repeated path traversal attempts from the same source IP against Fortinet FortiWeb within a 5-minute window, reducing noise from single accidental requests while catching active exploitation attempts.

Data Sources

Fortinet FortiWebElastic Agent with Fortinet integration

Required Tables

logs-fortinet.fortiWeb-*filebeat-*

False Positives & Tuning

  • Automated vulnerability scanners performing multiple requests in sequence
  • Web crawlers with misconfigured URL normalization hitting FortiWeb-protected applications
  • Repeated legitimate requests with URL parameters that superficially match traversal patterns
  • Load balancer health checks using sequential requests with path components

Other platforms for CVE-2025-64446

Microsoft Sentinel (KQL) Splunk (SPL) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Basic Path Traversal Against FortiWeb-Protected Endpoint

    Expected signal: FortiWeb access log entry with the traversal URL, source IP, HTTP method GET, and either a 403 block response (if WAF in block mode) or 200/redirect if in monitor mode. SIEM should receive a CommonSecurityLog or syslog event within 60 seconds.

  2. Test 2URL-Encoded Path Traversal (Double Encoding)

    Expected signal: Multiple FortiWeb log entries with percent-encoded URL paths. SIEM events should show the encoded traversal sequences in RequestURL or Message fields. Attack log should show WAF signature matches for each encoded variant.

  3. Test 3Traversal Targeting FortiWeb Configuration or Certificate Files

    Expected signal: FortiWeb access and attack logs showing four separate requests targeting sensitive paths. Response codes expected to be 403 if blocking mode is active. SIEM should receive all four events and score the requests with TargetsSensitiveFile=true, raising FinalScore to critical threshold.

  4. Test 4Automated Traversal Fuzzing Simulation

    Expected signal: Burst of 8 FortiWeb log events from the same source IP within 10 seconds, each containing traversal patterns. SIEM correlation rules should group these by source IP and escalate based on repeat attempts.

Last updated: 2026-06-19 Research depth: standard
References (3)

Unlock Pro Content

Get the full detection package for CVE-2025-64446 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Tactic Hubs

TA0001Initial AccessTA0005Defense EvasionTA0007Discovery

Related Techniques

T1190Exploit Public-Facing ApplicationT1083File and Directory DiscoveryT1552.001Credentials In FilesT1005Data from Local System

Same Tactic: Initial Access

Popular Detections