CVE-2025-64471 Overview
CVE-2025-64471 is an authentication weakness in Fortinet FortiWeb that allows unauthenticated attackers to authenticate using a password hash in place of the plaintext password. The flaw is classified under CWE-836: Use of Password Hash Instead of Password for Authentication. Affected versions span FortiWeb 7.0.0 through 8.0.1. Attackers can submit crafted HTTP or HTTPS requests containing a captured or leaked hash value, and the application accepts it as proof of identity. Successful exploitation grants unauthorized access to FortiWeb management functions, undermining the integrity of the web application firewall.
Critical Impact
Unauthenticated attackers with access to a password hash can authenticate to FortiWeb over the network and gain administrative control of the web application firewall.
Affected Products
- Fortinet FortiWeb 8.0.0 through 8.0.1
- Fortinet FortiWeb 7.6.0 through 7.6.5 and 7.4.0 through 7.4.10
- Fortinet FortiWeb 7.2.0 through 7.2.11 and 7.0.0 through 7.0.11
Discovery Timeline
- 2025-12-09 - CVE-2025-64471 published to NVD
- 2025-12-10 - Last updated in NVD database
Technical Details for CVE-2025-64471
Vulnerability Analysis
The vulnerability resides in the FortiWeb authentication routine that processes HTTP and HTTPS login requests. Rather than treating the stored password hash as a verification target, the implementation accepts the hash itself as a valid credential. An attacker who obtains a hash from a backup, configuration export, log file, or related Fortinet disclosure can replay it directly against the management interface. The bypass requires no prior session, no user interaction, and no elevated privileges.
FortiWeb is deployed as a web application firewall in front of business-critical applications. Administrative access permits attackers to modify protection policies, disable inspection rules, exfiltrate logged traffic data, or pivot into protected applications. The impact concentrates on integrity, with attackers able to silently weaken filtering posture.
Root Cause
The authentication function compares the supplied credential against the stored hash without first hashing the supplied input. This logic error collapses the distinction between knowing the password and possessing its hash, defeating the core purpose of password hashing.
Attack Vector
Exploitation occurs remotely over the network against the FortiWeb HTTP and HTTPS management interface. The attacker sends an authentication request where the password field carries the hash value taken from any source that exposes the credential store. No PoC code has been publicly released, and no synthetic exploit example is provided.
Detection Methods for CVE-2025-64471
Indicators of Compromise
- Successful administrative logins from unfamiliar source IP addresses outside management network ranges.
- Authentication events for administrative accounts followed by changes to WAF policies, signatures, or logging configuration.
- HTTP or HTTPS requests to FortiWeb authentication endpoints containing credential strings that resemble hash formats rather than plaintext.
Detection Strategies
- Review FortiWeb authentication and audit logs for logins that do not correlate with known administrator activity or jump-host sources.
- Correlate management plane logins with subsequent policy modifications, user creations, and certificate or backup operations.
- Alert on access to the FortiWeb administrative interface from any source outside an allow-list of management workstations.
Monitoring Recommendations
- Forward FortiWeb syslog events to a centralized SIEM and build identifications around administrative authentication anomalies.
- Monitor north-south traffic to FortiWeb management ports (typically 443 and 8443) for unexpected external sources.
- Track configuration drift on FortiWeb appliances and trigger investigation on any unscheduled change.
How to Mitigate CVE-2025-64471
Immediate Actions Required
- Apply the fixed FortiWeb release identified in the Fortinet PSIRT Advisory FG-IR-25-984 for your branch.
- Restrict access to the FortiWeb administrative interface to a dedicated management network and trusted jump hosts only.
- Rotate all administrative credentials and API tokens after patching, assuming hash exposure is possible.
Patch Information
Fortinet has published remediation guidance and fixed builds in the Fortinet PSIRT Advisory FG-IR-25-984. Administrators should upgrade FortiWeb to the vendor-specified fixed version corresponding to their currently deployed branch (7.0.x, 7.2.x, 7.4.x, 7.6.x, or 8.0.x).
Workarounds
- Disable HTTP and HTTPS administrative access on untrusted interfaces until the patch is applied.
- Enforce trusted host configuration so that administrative logins are accepted only from defined source addresses.
- Require multi-factor authentication on all FortiWeb administrator accounts to limit the value of a stolen hash.
# Example: restrict FortiWeb administrative access to a trusted host
config system admin
edit "admin"
set trusthost1 10.10.0.0 255.255.255.0
set accprofile "super_admin"
next
end
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
