A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection Platforms. Six years running.Six years. Gartner® Magic Quadrant™ Leader.Read More
Experiencing a Breach?Blog
Get StartedContact Us
SentinelOne
  • Platform
    Platform Overview
    • Singularity Platform
      Welcome to Integrated Enterprise Security
    • AI for Security
      Leading the Way in AI-Powered Security Solutions
    • Securing AI
      Accelerate AI Adoption with Secure AI Tools, Apps, and Agents.
    • How It Works
      The Singularity XDR Difference
    • Singularity Marketplace
      One-Click Integrations to Unlock the Power of XDR
    • Pricing & Packaging
      Comparisons and Guidance at a Glance
    Data & AI
    • Purple AI
      Accelerate SecOps with Generative AI
    • Singularity Hyperautomation
      Easily Automate Security Processes
    • AI-SIEM
      The AI SIEM for the Autonomous SOC
    • AI Data Pipelines
      Security Data Pipeline for AI SIEM and Data Optimization
    • Singularity Data Lake
      AI-Powered, Unified Data Lake
    • Singularity Data Lake for Log Analytics
      Seamlessly Ingest Data from On-Prem, Cloud or Hybrid Environments
    Endpoint Security
    • Singularity Endpoint
      Autonomous Prevention, Detection, and Response
    • Singularity XDR
      Native & Open Protection, Detection, and Response
    • Singularity RemoteOps Forensics
      Orchestrate Forensics at Scale
    • Singularity Threat Intelligence
      Comprehensive Adversary Intelligence
    • Singularity Vulnerability Management
      Application & OS Vulnerability Management
    • Singularity Identity
      Identity Threat Detection and Response
    Cloud Security
    • Singularity Cloud Security
      Block Attacks with an AI-Powered CNAPP
    • Singularity Cloud Native Security
      Secure Cloud and Development Resources
    • Singularity Cloud Workload Security
      Real-Time Cloud Workload Protection Platform
    • Singularity Cloud Data Security
      AI-Powered Threat Detection for Cloud Storage
    • Singularity Cloud Security Posture Management
      Detect and Remediate Cloud Misconfigurations
    Securing AI
    • Prompt Security
      Secure AI Tools Across Your Enterprise
  • Why SentinelOne?
    Why SentinelOne?
    • Why SentinelOne?
      Cybersecurity Built for What’s Next
    • Our Customers
      Trusted by the World’s Leading Enterprises
    • Industry Recognition
      Tested and Proven by the Experts
    • About Us
      The Industry Leader in Autonomous Cybersecurity
    Compare SentinelOne
    • Arctic Wolf
    • Broadcom
    • CrowdStrike
    • Cybereason
    • Microsoft
    • Palo Alto Networks
    • Sophos
    • Splunk
    • Trellix
    • Trend Micro
    • Wiz
    Verticals
    • Energy
    • Federal Government
    • Finance
    • Healthcare
    • Higher Education
    • K-12 Education
    • Manufacturing
    • Retail
    • State and Local Government
  • Services
    Managed Services
    • Managed Services Overview
      Wayfinder Threat Detection & Response
    • Threat Hunting
      World-Class Expertise and Threat Intelligence
    • Managed Detection & Response
      24/7/365 Expert MDR Across Your Entire Environment
    • Incident Readiness & Response
      DFIR, Breach Readiness, & Compromise Assessments
    Support, Deployment, & Health
    • Technical Account Management
      Customer Success with Personalized Service
    • SentinelOne GO
      Guided Onboarding & Deployment Advisory
    • SentinelOne University
      Live and On-Demand Training
    • Services Overview
      Comprehensive Solutions for Seamless Security Operations
    • SentinelOne Community
      Community Login
  • Partners
    Our Network
    • MSSP Partners
      Succeed Faster with SentinelOne
    • Singularity Marketplace
      Extend the Power of S1 Technology
    • Cyber Risk Partners
      Enlist Pro Response and Advisory Teams
    • Technology Alliances
      Integrated, Enterprise-Scale Solutions
    • SentinelOne for AWS
      Hosted in AWS Regions Around the World
    • Channel Partners
      Deliver the Right Solutions, Together
    • SentinelOne for Google Cloud
      Unified, Autonomous Security Giving Defenders the Advantage at Global Scale
    • Partner Locator
      Your Go-to Source for Our Top Partners in Your Region
    Partner Portal→
  • Resources
    Resource Center
    • Case Studies
    • Data Sheets
    • eBooks
    • Reports
    • Videos
    • Webinars
    • Whitepapers
    • Events
    View All Resources→
    Blog
    • Feature Spotlight
    • For CISO/CIO
    • From the Front Lines
    • Identity
    • Cloud
    • macOS
    • SentinelOne Blog
    Blog→
    Tech Resources
    • SentinelLABS
    • Ransomware Anthology
    • Cybersecurity 101
  • About
    About SentinelOne
    • About SentinelOne
      The Industry Leader in Cybersecurity
    • Investor Relations
      Financial Information & Events
    • SentinelLABS
      Threat Research for the Modern Threat Hunter
    • Careers
      The Latest Job Opportunities
    • Press & News
      Company Announcements
    • Cybersecurity Blog
      The Latest Cybersecurity Threats, News, & More
    • FAQ
      Get Answers to Our Most Frequently Asked Questions
    • DataSet
      The Live Data Platform
    • S Foundation
      Securing a Safer Future for All
    • S Ventures
      Investing in the Next Generation of Security, Data and AI
  • Pricing
Get StartedContact Us
CVE Vulnerability Database
Vulnerability Database/CVE-2025-25254

CVE-2025-25254: Fortinet FortiWeb Path Traversal Flaw

CVE-2025-25254 is a path traversal vulnerability in Fortinet FortiWeb that allows authenticated admins to access and modify the filesystem via crafted requests. This article covers technical details, affected versions, and mitigations.

Published: May 26, 2026

CVE-2025-25254 Overview

CVE-2025-25254 is a path traversal vulnerability [CWE-22] affecting Fortinet FortiWeb. The flaw resides in an administrative endpoint that fails to properly restrict pathname inputs. An authenticated administrator can submit crafted requests to read and modify files outside the intended directory scope.

Affected versions include FortiWeb 7.6.2 and below, 7.4.6 and below, and all releases of 7.2 and 7.0. The vulnerability requires high privileges and no user interaction, but its network attack vector and full impact on confidentiality, integrity, and availability make it a meaningful risk in environments where administrative accounts may be shared or compromised.

Critical Impact

An authenticated administrator can traverse the FortiWeb filesystem to access and modify arbitrary files, undermining the integrity of the web application firewall.

Affected Products

  • Fortinet FortiWeb 7.6.2 and below
  • Fortinet FortiWeb 7.4.6 and below
  • Fortinet FortiWeb 7.2 (all versions) and 7.0 (all versions)

Discovery Timeline

  • 2025-04-08 - CVE-2025-25254 published to the National Vulnerability Database (NVD)
  • 2025-07-22 - Last updated in NVD database

Technical Details for CVE-2025-25254

Vulnerability Analysis

FortiWeb exposes an administrative endpoint that accepts file path parameters as part of normal management operations. The endpoint does not sufficiently validate or canonicalize these parameters before using them in filesystem operations. An authenticated administrator can supply crafted input containing traversal sequences such as ../ to escape the intended directory and reach arbitrary files on the appliance.

Because the affected logic supports both read and write operations, exploitation enables file disclosure and file modification. Attackers can target configuration files, web application firewall rule sets, certificate stores, and binaries used by the device runtime.

Root Cause

The root cause is improper limitation of a pathname to a restricted directory [CWE-22]. The vulnerable endpoint concatenates or resolves user-controlled path components without rejecting parent-directory references or enforcing a strict allowlist of permitted paths.

Attack Vector

An attacker must hold valid administrative credentials on the FortiWeb management interface. With those credentials, the attacker issues crafted HTTP requests over the network to the vulnerable endpoint. No user interaction is required. Successful exploitation yields read and write access to the underlying filesystem within the privileges of the FortiWeb management process.

The vulnerability is documented in the Fortinet Security Advisory FG-IR-24-474. No public proof-of-concept code is available at the time of writing.

Detection Methods for CVE-2025-25254

Indicators of Compromise

  • HTTP requests to FortiWeb administrative endpoints containing path traversal sequences such as ../, ..%2f, or encoded variants in path or query parameters.
  • Unexpected modifications to FortiWeb configuration, rule, or certificate files outside of normal change windows.
  • Administrative session activity originating from unusual source addresses or at atypical times.

Detection Strategies

  • Inspect FortiWeb management plane logs for requests referencing absolute paths or traversal patterns on file-handling endpoints.
  • Correlate authenticated administrator sessions with subsequent filesystem-impacting operations to surface anomalous workflows.
  • Hash and baseline critical FortiWeb configuration and binary files, then alert on unauthorized changes.

Monitoring Recommendations

  • Forward FortiWeb administrative and audit logs to a centralized SIEM or data lake for long-term retention and correlation.
  • Alert on administrative logins followed by file management API calls outside approved maintenance windows.
  • Track failed and successful authentication attempts against the FortiWeb management interface to identify credential abuse leading up to exploitation.

How to Mitigate CVE-2025-25254

Immediate Actions Required

  • Upgrade FortiWeb to a fixed release as documented in the Fortinet PSIRT advisory FG-IR-24-474.
  • Restrict access to the FortiWeb management interface to a small set of trusted administrative networks.
  • Rotate administrator credentials and enforce multi-factor authentication on all FortiWeb admin accounts.
  • Review FortiWeb audit logs for evidence of traversal attempts or unexpected file modifications.

Patch Information

Fortinet has published guidance and fixed versions in the Fortinet Security Advisory FG-IR-24-474. Administrators should upgrade FortiWeb beyond version 7.6.2 on the 7.6 branch and beyond 7.4.6 on the 7.4 branch. Versions in the 7.2 and 7.0 branches are affected in full and should be migrated to a supported fixed release.

Workarounds

  • Limit administrative interface exposure to dedicated management VLANs or VPN-only access until patching is complete.
  • Reduce the number of accounts holding FortiWeb super-administrator privileges and apply least privilege to operational roles.
  • Monitor and alert on any administrative API calls that include path separators or encoded traversal sequences in parameters.
bash
# Restrict FortiWeb administrative access to trusted hosts
config system interface
  edit "port1"
    set allowaccess https ssh
    set trusthost1 10.0.0.0 255.255.255.0
  next
end

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

  • Vulnerability Details
  • TypePath Traversal
  • Vendor/TechFortinet Fortiweb
  • SeverityHIGH
  • CVSS Score7.2
  • EPSS Probability0.23%
  • Known ExploitedNo
  • CVSS Vector
  • CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
  • Impact Assessment
  • ConfidentialityLow
  • IntegrityNone
  • AvailabilityHigh
  • CWE References
  • CWE-22
  • Vendor Resources
  • Fortinet Security Advisory FG-IR-24-474
  • Related CVEs
  • CVE-2026-39814: Fortinet FortiWeb Path Traversal Flaw
  • CVE-2025-64446: Fortinet FortiWeb Path Traversal Flaw
  • CVE-2026-40688: Fortinet FortiWeb RCE Vulnerability
  • CVE-2026-39811: Fortinet FortiWeb DoS Vulnerability
Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne
  • Get Started
  • Get a Demo
  • Product Tour
  • Why SentinelOne
  • Pricing & Packaging
  • FAQ
  • Contact
  • Contact Us
  • Customer Support
  • SentinelOne Status
  • Language
  • Platform
  • Singularity Platform
  • Singularity Endpoint
  • Singularity Cloud
  • Singularity AI-SIEM
  • Singularity Identity
  • Singularity Marketplace
  • Purple AI
  • Services
  • Wayfinder TDR
  • SentinelOne GO
  • Technical Account Management
  • Support Services
  • Verticals
  • Energy
  • Federal Government
  • Finance
  • Healthcare
  • Higher Education
  • K-12 Education
  • Manufacturing
  • Retail
  • State and Local Government
  • Cybersecurity for SMB
  • Resources
  • Blog
  • Labs
  • Case Studies
  • Videos
  • Product Tours
  • Events
  • Cybersecurity 101
  • eBooks
  • Webinars
  • Whitepapers
  • Press
  • News
  • Ransomware Anthology
  • Company
  • About Us
  • Our Customers
  • Careers
  • Partners
  • Legal & Compliance
  • Security & Compliance
  • Investor Relations
  • S Foundation
  • S Ventures

©2026 SentinelOne, All Rights Reserved.

Privacy Notice Terms of Use

English