Critical Remote Code Execution (CVE‑2025‑64446) Discovered in FortiWeb 8.0.2 Web‑Application Firewall
What Happened – A publicly‑available exploit (EDB‑52502) demonstrates that FortiWeb versions < 7.6.7, < 7.8.7 and < 8.0.2 suffer an authentication‑bypass, path‑traversal and arbitrary‑file‑upload chain that yields remote code execution with root privileges on the appliance.
Why It Matters for TPRM –
- An attacker who gains a foothold on a WAF can pivot to any protected web application, exposing data and services of your downstream vendors.
- The vulnerability scores a CVSS 9.8 (Critical), indicating a high likelihood of successful exploitation in the wild.
- Many regulated sectors (finance, healthcare, government) rely on FortiWeb to protect public‑facing services; a breach could trigger compliance violations.
Who Is Affected – Organizations that deploy FortiWeb appliances (or managed‑service versions) across any industry, especially those in finance, healthcare, government, retail and SaaS platforms.
Recommended Actions –
- Verify the exact FortiWeb version in use.
- Immediately upgrade to FortiWeb 7.6.7, 7.8.7, 8.0.2 or later, or apply the Fortinet PSIRT advisory patch.
- Review authentication and API hardening controls; disable unused management interfaces.
- Conduct log‑analysis for suspicious API calls and enforce network segmentation for the management plane.
Technical Notes – The exploit abuses an insecure API endpoint (/api/v2.0/user/local.add) to create a privileged admin account, then logs in and uploads a PHP web‑shell that initiates a reverse TCP shell. The attack vector is a combination of authentication bypass, path traversal and arbitrary file upload on the appliance’s Linux‑based OS. Source: Exploit‑DB 52502