Join the Cyber Forum: Threat Intel on May 12, 2026 to learn how AI is reshaping threat defense.Join the Virtual Cyber Forum: Threat IntelRegister Now
Experiencing a Breach?Blog
Get StartedContact Us
SentinelOne
  • Platform
    Platform Overview
    • Singularity Platform
      Welcome to Integrated Enterprise Security
    • AI for Security
      Leading the Way in AI-Powered Security Solutions
    • Securing AI
      Accelerate AI Adoption with Secure AI Tools, Apps, and Agents.
    • How It Works
      The Singularity XDR Difference
    • Singularity Marketplace
      One-Click Integrations to Unlock the Power of XDR
    • Pricing & Packaging
      Comparisons and Guidance at a Glance
    Data & AI
    • Purple AI
      Accelerate SecOps with Generative AI
    • Singularity Hyperautomation
      Easily Automate Security Processes
    • AI-SIEM
      The AI SIEM for the Autonomous SOC
    • AI Data Pipelines
      Security Data Pipeline for AI SIEM and Data Optimization
    • Singularity Data Lake
      AI-Powered, Unified Data Lake
    • Singularity Data Lake for Log Analytics
      Seamlessly Ingest Data from On-Prem, Cloud or Hybrid Environments
    Endpoint Security
    • Singularity Endpoint
      Autonomous Prevention, Detection, and Response
    • Singularity XDR
      Native & Open Protection, Detection, and Response
    • Singularity RemoteOps Forensics
      Orchestrate Forensics at Scale
    • Singularity Threat Intelligence
      Comprehensive Adversary Intelligence
    • Singularity Vulnerability Management
      Application & OS Vulnerability Management
    • Singularity Identity
      Identity Threat Detection and Response
    Cloud Security
    • Singularity Cloud Security
      Block Attacks with an AI-Powered CNAPP
    • Singularity Cloud Native Security
      Secure Cloud and Development Resources
    • Singularity Cloud Workload Security
      Real-Time Cloud Workload Protection Platform
    • Singularity Cloud Data Security
      AI-Powered Threat Detection for Cloud Storage
    • Singularity Cloud Security Posture Management
      Detect and Remediate Cloud Misconfigurations
    Securing AI
    • Prompt Security
      Secure AI Tools Across Your Enterprise
  • Why SentinelOne?
    Why SentinelOne?
    • Why SentinelOne?
      Cybersecurity Built for What’s Next
    • Our Customers
      Trusted by the World’s Leading Enterprises
    • Industry Recognition
      Tested and Proven by the Experts
    • About Us
      The Industry Leader in Autonomous Cybersecurity
    Compare SentinelOne
    • Arctic Wolf
    • Broadcom
    • CrowdStrike
    • Cybereason
    • Microsoft
    • Palo Alto Networks
    • Sophos
    • Splunk
    • Trellix
    • Trend Micro
    • Wiz
    Verticals
    • Energy
    • Federal Government
    • Finance
    • Healthcare
    • Higher Education
    • K-12 Education
    • Manufacturing
    • Retail
    • State and Local Government
  • Services
    Managed Services
    • Managed Services Overview
      Wayfinder Threat Detection & Response
    • Threat Hunting
      World-Class Expertise and Threat Intelligence
    • Managed Detection & Response
      24/7/365 Expert MDR Across Your Entire Environment
    • Incident Readiness & Response
      DFIR, Breach Readiness, & Compromise Assessments
    Support, Deployment, & Health
    • Technical Account Management
      Customer Success with Personalized Service
    • SentinelOne GO
      Guided Onboarding & Deployment Advisory
    • SentinelOne University
      Live and On-Demand Training
    • Services Overview
      Comprehensive Solutions for Seamless Security Operations
    • SentinelOne Community
      Community Login
  • Partners
    Our Network
    • MSSP Partners
      Succeed Faster with SentinelOne
    • Singularity Marketplace
      Extend the Power of S1 Technology
    • Cyber Risk Partners
      Enlist Pro Response and Advisory Teams
    • Technology Alliances
      Integrated, Enterprise-Scale Solutions
    • SentinelOne for AWS
      Hosted in AWS Regions Around the World
    • Channel Partners
      Deliver the Right Solutions, Together
    • SentinelOne for Google Cloud
      Unified, Autonomous Security Giving Defenders the Advantage at Global Scale
    • Partner Locator
      Your Go-to Source for Our Top Partners in Your Region
    Partner Portal→
  • Resources
    Resource Center
    • Case Studies
    • Data Sheets
    • eBooks
    • Reports
    • Videos
    • Webinars
    • Whitepapers
    • Events
    View All Resources→
    Blog
    • Feature Spotlight
    • For CISO/CIO
    • From the Front Lines
    • Identity
    • Cloud
    • macOS
    • SentinelOne Blog
    Blog→
    Tech Resources
    • SentinelLABS
    • Ransomware Anthology
    • Cybersecurity 101
  • About
    About SentinelOne
    • About SentinelOne
      The Industry Leader in Cybersecurity
    • Investor Relations
      Financial Information & Events
    • SentinelLABS
      Threat Research for the Modern Threat Hunter
    • Careers
      The Latest Job Opportunities
    • Press & News
      Company Announcements
    • Cybersecurity Blog
      The Latest Cybersecurity Threats, News, & More
    • FAQ
      Get Answers to Our Most Frequently Asked Questions
    • DataSet
      The Live Data Platform
    • S Foundation
      Securing a Safer Future for All
    • S Ventures
      Investing in the Next Generation of Security, Data and AI
  • Pricing
Get StartedContact Us
CVE Vulnerability Database
Vulnerability Database/CVE-2025-64447

CVE-2025-64447: Fortinet FortiWeb Auth Bypass Vulnerability

CVE-2025-64447 is an authentication bypass flaw in Fortinet FortiWeb that allows attackers to execute unauthorized operations via forged cookies. This article covers technical details, affected versions, and mitigation.

Published: April 29, 2026

CVE-2025-64447 Overview

CVE-2025-64447 is a critical cookie validation and integrity checking vulnerability affecting Fortinet FortiWeb, a widely deployed web application firewall (WAF) solution. This vulnerability stems from the application's reliance on cookies without proper validation and integrity checking (CWE-565), allowing unauthenticated attackers to execute arbitrary operations on the system through crafted HTTP or HTTPS requests containing forged cookies.

The attack requires prior knowledge of the FortiWeb device's serial number, which serves as a prerequisite for successfully exploiting this vulnerability. Once an attacker obtains this information, they can craft malicious requests that bypass authentication controls and perform unauthorized operations on the FortiWeb system.

Critical Impact

Unauthenticated remote attackers can execute arbitrary operations on FortiWeb systems via forged cookies, potentially leading to complete system compromise, unauthorized configuration changes, and security policy bypasses.

Affected Products

  • Fortinet FortiWeb 8.0.0 through 8.0.1
  • Fortinet FortiWeb 7.6.0 through 7.6.5
  • Fortinet FortiWeb 7.4.0 through 7.4.10
  • Fortinet FortiWeb 7.2.0 through 7.2.11
  • Fortinet FortiWeb 7.0.0 through 7.0.11

Discovery Timeline

  • 2025-12-09 - CVE-2025-64447 published to NVD
  • 2025-12-09 - Last updated in NVD database

Technical Details for CVE-2025-64447

Vulnerability Analysis

This vulnerability exists within FortiWeb's cookie handling mechanism, where the application fails to properly validate and verify the integrity of cookie values before processing them. The weakness falls under CWE-565 (Reliance on Cookies without Validation and Integrity Checking), which indicates that the application trusts cookie data without implementing proper cryptographic verification or server-side validation.

FortiWeb, as a web application firewall, processes incoming HTTP and HTTPS requests to protect backend web applications. The cookie validation flaw allows attackers to forge authentication or session cookies that the system will accept as legitimate, effectively bypassing security controls designed to restrict access to administrative or privileged functions.

The network-accessible nature of this vulnerability means that any attacker who can reach the FortiWeb management interface or protected web applications can attempt exploitation. While the attack does require prior knowledge of the device's serial number (adding complexity), serial numbers may be obtainable through various means including device labels, documentation, or information disclosure vulnerabilities.

Root Cause

The root cause of CVE-2025-64447 is the insufficient validation of cookie integrity within FortiWeb's request handling logic. The application accepts and processes cookie values without verifying their authenticity through cryptographic signatures, HMAC validation, or server-side session verification. This design flaw allows attackers to craft arbitrary cookie values that the system interprets as valid, provided they possess the device serial number used in the cookie generation or validation process.

Attack Vector

The attack is conducted over the network via HTTP or HTTPS requests directed at the FortiWeb appliance. An attacker must first obtain the target device's serial number, which may be accomplished through social engineering, physical access to device labels, or exploitation of information disclosure vulnerabilities.

Once the serial number is known, the attacker constructs crafted cookies that bypass the authentication or authorization checks. These forged cookies are submitted via HTTP or HTTPS requests, and due to the lack of proper validation, the FortiWeb system processes them as legitimate, granting the attacker unauthorized access to system operations.

The vulnerability does not require any user interaction or prior authentication, making it particularly dangerous for internet-exposed FortiWeb deployments. The impact spans confidentiality, integrity, and availability, as successful exploitation could allow attackers to read sensitive configurations, modify security policies, or disrupt WAF functionality.

Detection Methods for CVE-2025-64447

Indicators of Compromise

  • Unusual HTTP/HTTPS requests to FortiWeb management interfaces containing malformed or unexpected cookie values
  • Authentication logs showing successful access without corresponding valid login events
  • Unexpected configuration changes or system operations performed by unauthenticated sessions
  • Network traffic patterns indicating reconnaissance attempts to gather device serial numbers

Detection Strategies

  • Implement network monitoring to detect anomalous requests to FortiWeb management ports
  • Review FortiWeb audit logs for unauthorized administrative actions or configuration modifications
  • Deploy intrusion detection signatures to identify cookie manipulation attempts targeting FortiWeb
  • Monitor for attempts to access device serial number information through various channels

Monitoring Recommendations

  • Enable comprehensive logging on all FortiWeb appliances and forward logs to a centralized SIEM
  • Establish baseline metrics for normal FortiWeb administrative access patterns and alert on deviations
  • Implement network segmentation monitoring to detect unauthorized access attempts to management interfaces
  • Configure alerts for any configuration changes or privileged operations on FortiWeb systems

How to Mitigate CVE-2025-64447

Immediate Actions Required

  • Update all affected FortiWeb appliances to the latest patched firmware version immediately
  • Restrict network access to FortiWeb management interfaces to trusted IP ranges only
  • Review FortiWeb access logs for any signs of unauthorized access or suspicious activity
  • Ensure FortiWeb serial numbers are treated as sensitive information and not publicly disclosed

Patch Information

Fortinet has released security updates to address this vulnerability. Administrators should consult the Fortinet PSIRT Advisory FG-IR-25-945 for detailed patching instructions and updated firmware versions. Organizations should prioritize patching based on the exposure level of their FortiWeb deployments, with internet-facing systems requiring immediate attention.

Workarounds

  • Implement strict network access controls to limit management interface exposure to trusted networks only
  • Configure firewall rules to block external access to FortiWeb administrative ports
  • Enable additional authentication mechanisms such as certificate-based authentication where supported
  • Monitor and audit all access to FortiWeb systems until patches can be applied
bash
# Example: Restrict management access to specific trusted networks
# This should be configured on your perimeter firewall or FortiWeb CLI
# Consult Fortinet documentation for specific CLI commands

# Network ACL example (conceptual - adapt to your environment)
# Restrict HTTPS management access (typically port 443 or 8443)
# Allow only from trusted management network: 10.0.1.0/24
# Deny all other external access to management interfaces

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

  • Vulnerability Details
  • TypeAuth Bypass
  • Vendor/TechFortinet Fortiweb
  • SeverityHIGH
  • CVSS Score8.1
  • EPSS Probability0.23%
  • Known ExploitedNo
  • CVSS Vector
  • CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Impact Assessment
  • ConfidentialityHigh
  • IntegrityNone
  • AvailabilityHigh
  • CWE References
  • CWE-565
  • Vendor Resources
  • Fortinet PSIRT Advisory FG-IR-25-945
  • Related CVEs
  • CVE-2025-48840: Fortinet FortiWeb Auth Bypass Vulnerability
  • CVE-2026-24017: Fortinet FortiWeb Auth Bypass Vulnerability
  • CVE-2025-64471: Fortinet FortiWeb Auth Bypass Vulnerability
  • CVE-2025-59719: Fortinet FortiWeb Auth Bypass Vulnerability
Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the World’s Most Advanced Cybersecurity Platform

See how our intelligent, autonomous cybersecurity platform can protect your organization now and into the future.

Try SentinelOne
  • Get Started
  • Get a Demo
  • Product Tour
  • Why SentinelOne
  • Pricing & Packaging
  • FAQ
  • Contact
  • Contact Us
  • Customer Support
  • SentinelOne Status
  • Language
  • Platform
  • Singularity Platform
  • Singularity Endpoint
  • Singularity Cloud
  • Singularity AI-SIEM
  • Singularity Identity
  • Singularity Marketplace
  • Purple AI
  • Services
  • Wayfinder TDR
  • SentinelOne GO
  • Technical Account Management
  • Support Services
  • Verticals
  • Energy
  • Federal Government
  • Finance
  • Healthcare
  • Higher Education
  • K-12 Education
  • Manufacturing
  • Retail
  • State and Local Government
  • Cybersecurity for SMB
  • Resources
  • Blog
  • Labs
  • Case Studies
  • Videos
  • Product Tours
  • Events
  • Cybersecurity 101
  • eBooks
  • Webinars
  • Whitepapers
  • Press
  • News
  • Ransomware Anthology
  • Company
  • About Us
  • Our Customers
  • Careers
  • Partners
  • Legal & Compliance
  • Security & Compliance
  • Investor Relations
  • S Foundation
  • S Ventures

©2026 SentinelOne, All Rights Reserved.

Privacy Notice Terms of Use

English