CVE-2025-64447Reliance on Cookies without Validation and Integrity Checking in Fortinet Fortiweb

CWE-565Reliance on Cookies without Validation and Integrity Checking5 documents5 sources
Severity
8.1HIGHNVD
EPSS
0.2%
top 53.76%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Fortinet Fortiweb
Timeline
PublishedDec 9

Description

A reliance on cookies without validation and integrity checking vulnerability in Fortinet FortiWeb 8.0.0 through 8.0.1, FortiWeb 7.6.0 through 7.6.5, FortiWeb 7.4.0 through 7.4.10, FortiWeb 7.2.0 through 7.2.11, FortiWeb 7.0.0 through 7.0.11 may allow an unauthenticated attacker to execute arbitrary operations on the system via crafted HTTP or HTTPS request via forged cookies, requiring prior knowledge of the FortiWeb serial number.

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 2.2 | Impact: 5.9

Affected Packages2 packages

CVEListV5fortinet/fortiweb8.0.08.0.1+4
NVDfortinet/fortiweb7.0.07.0.11+4

🔴Vulnerability Details

2
GHSA
GHSA-fqxp-5rvv-7f48: A reliance on cookies without validation and integrity checking vulnerability in Fortinet FortiWeb 82025-12-09
CVEList
CVE-2025-64447: A reliance on cookies without validation and integrity checking vulnerability in Fortinet FortiWeb 82025-12-09

📋Vendor Advisories

1
Fortinet
Capacity to forge authentication cookies2025-12-09

🕵️Threat Intelligence

1
Wiz
CVE-2025-64447 Impact, Exploitability, and Mitigation Steps | Wiz
CVE-2025-64447 — Fortinet Fortiweb vulnerability | cvebase