Detect CVE-2025-64446: Fortinet FortiWeb Path Traversal Exploitation in Splunk
Detects exploitation attempts targeting CVE-2025-64446, a path traversal vulnerability (CWE-23) in Fortinet FortiWeb. This vulnerability allows attackers to traverse directory boundaries and access files outside the intended web root, potentially exposing sensitive configuration files, credentials, or system files. The vulnerability is listed in CISA KEV indicating active exploitation in the wild.
MITRE ATT&CK
SPL Detection Query
index=fortinet sourcetype=fortinet:fortiWeb OR sourcetype=fortiWeb:traffic
| eval url=lower(coalesce(url, request_url, uri, ""))
| eval msg=lower(coalesce(msg, message, log_msg, ""))
| eval combined=url." ".msg
| where match(combined, "(\.\./|\.\.\\/|%2e%2e%2f|%2e%2e/|\.\.%2f|%2e%2e%5c|%252e%252e|\.\.%252f|\.\.\.\./|\.\.\.\.\\/)") OR match(combined, "(etc/passwd|etc/shadow|web\.config|config\.json|proc/self|win\.ini|boot\.ini|/etc/hosts)")
| eval traversal_count=mvcount(split(url, "../")) + mvcount(split(url, "..%2f")) - 2
| eval targets_sensitive=if(match(combined, "(etc/passwd|etc/shadow|web\.config|config\.json|proc/self)"), 1, 0)
| eval risk_score=case(traversal_count>=3, 90, traversal_count==2, 70, traversal_count>=1, 50, 30)
| eval final_score=if(targets_sensitive=1, risk_score+20, risk_score)
| where final_score >= 50
| table _time, src_ip, dest_ip, url, msg, traversal_count, targets_sensitive, final_score, action
| sort -final_score, -_timeSplunk detection for path traversal exploitation against Fortinet FortiWeb. Searches FortiWeb logs for URL and message fields containing directory traversal sequences including percent-encoded variants, scoring by depth and sensitive file targeting.
Data Sources
Required Sourcetypes
False Positives & Tuning
- Authorized penetration tests or red team exercises targeting FortiWeb appliances
- Security scanner tools such as Nessus or Qualys performing authenticated or unauthenticated scans
- URL encoding normalization by intermediate proxies creating apparent traversal patterns
- Legitimate administrative access to FortiWeb management interface using path-like parameters
- Log forwarding misconfigurations that duplicate or corrupt URL fields
Other platforms for CVE-2025-64446
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Basic Path Traversal Against FortiWeb-Protected Endpoint
Expected signal: FortiWeb access log entry with the traversal URL, source IP, HTTP method GET, and either a 403 block response (if WAF in block mode) or 200/redirect if in monitor mode. SIEM should receive a CommonSecurityLog or syslog event within 60 seconds.
- Test 2URL-Encoded Path Traversal (Double Encoding)
Expected signal: Multiple FortiWeb log entries with percent-encoded URL paths. SIEM events should show the encoded traversal sequences in RequestURL or Message fields. Attack log should show WAF signature matches for each encoded variant.
- Test 3Traversal Targeting FortiWeb Configuration or Certificate Files
Expected signal: FortiWeb access and attack logs showing four separate requests targeting sensitive paths. Response codes expected to be 403 if blocking mode is active. SIEM should receive all four events and score the requests with TargetsSensitiveFile=true, raising FinalScore to critical threshold.
- Test 4Automated Traversal Fuzzing Simulation
Expected signal: Burst of 8 FortiWeb log events from the same source IP within 10 seconds, each containing traversal patterns. SIEM correlation rules should group these by source IP and escalate based on repeat attempts.
Unlock Pro Content
Get the full detection package for CVE-2025-64446 including response playbook, investigation guide, and atomic red team tests.