cbcvebase.
CVE-2025-64447
published 2025-12-09

CVE-2025-64447: A reliance on cookies without validation and integrity checking vulnerability in Fortinet FortiWeb 8.0.0 through 8.0.1, FortiWeb 7.6.0 through 7.6.5, FortiWeb…

PriorityP265high8.1CVSS 3.1
AVNACHPRNUINSUCHIHAH
EPSS
7.36%
93.6th percentile
A reliance on cookies without validation and integrity checking vulnerability in Fortinet FortiWeb 8.0.0 through 8.0.1, FortiWeb 7.6.0 through 7.6.5, FortiWeb 7.4.0 through 7.4.10, FortiWeb 7.2.0 through 7.2.11, FortiWeb 7.0.0 through 7.0.11 may allow an unauthenticated attacker to execute arbitrary operations on the system via crafted HTTP or HTTPS request via forged cookies, requiring prior knowledge of the FortiWeb serial number.

Affected

7 ranges
VendorProductVersion rangeFixed in
fortinetfortinet
fortinetfortiweb
fortinetfortiweb7.0.0 – 7.0.11
fortinetfortiweb7.2.0 – 7.2.11
fortinetfortiweb7.4.0 – 7.4.10
fortinetfortiweb7.6.0 – 7.6.5
fortinetfortiweb8.0.0 – 8.0.1

Detection & IOCsextracted from sources · hover to see the quote

  • Detect forged/crafted authentication cookies in HTTP or HTTPS requests targeting FortiWeb management interfaces — the vulnerability relies on cookies without validation or integrity checking, forged using the device serial number
  • Flag unauthenticated requests that successfully reach privileged operations on FortiWeb — attacker is unauthenticated but can execute arbitrary operations via forged cookies
  • Monitor for anomalous cookie values in requests to FortiWeb 7.0.x through 8.0.x — specifically cookies that appear structurally valid but originate from unauthenticated sessions (CWE-565: Reliance on Cookies without Validation and Integrity Checking)
  • ·Exploitation requires prior knowledge of the FortiWeb device serial number — exposure of serial numbers (e.g., via banners, SNMP, or prior recon) significantly increases risk
  • ·All affected FortiWeb versions across multiple major branches are vulnerable: 7.0.0–7.0.11, 7.2.0–7.2.11, 7.4.0–7.4.10, 7.6.0–7.6.5, 8.0.0–8.0.1
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.