CVE-2025-25254 — Path Traversal in Fortinet Fortiweb

CWE-22 — Path Traversal4 documents4 sources

Severity

7.2HIGHNVD

EPSS

0.7%

top 28.75%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Fortinet Fortiweb

Timeline

PublishedApr 8

Description

An Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability [CWE-22] in FortiWeb version 7.6.2 and below, version 7.4.6 and below, 7.2 all versions, 7.0 all versions endpoint may allow an authenticated admin to access and modify the filesystem via crafted requests.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:HExploitability: 1.2 | Impact: 5.9

Affected Packages2 packages

▶NVDfortinet/fortiweb7.0.0 — 7.4.7+1

▶CVEListV5fortinet/fortiweb7.6.0 — 7.6.2+3

🔴Vulnerability Details

CVEList

CVE-2025-25254: An Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability [CWE-22] in FortiWeb version 7↗2025-04-08

▶

GHSA

GHSA-q7jr-v677-ww76: An Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability [CWE-22] in FortiWeb version 7↗2025-04-08

▶

📋Vendor Advisories

Fortinet

An Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability [CWE-22] in FortiWeb ver...↗2025-04-08

▶