Cyber Resilience

CVE-2025-64447

High

Published: 09 December 2025

Published
09 December 2025
Modified
09 December 2025
KEV Added
Patch
CVSS Score v3.1 8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0019 40.6th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-64447 is a high-severity Reliance on Cookies without Validation and Integrity Checking (CWE-565) vulnerability in Fortinet Fortiweb. Its CVSS base score is 8.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 40.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2025-64447 is a vulnerability stemming from reliance on cookies without validation and integrity checking, classified under CWE-565, in Fortinet FortiWeb web application firewall. The issue affects FortiWeb versions 8.0.0 through 8.0.1, 7.6.0 through 7.6.5, 7.4.0 through 7.4.10, 7.2.0 through 7.2.11, and 7.0.0 through 7.0.11. It carries a CVSS v3.1 base score of 8.1 (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H), reflecting high severity due to potential for significant impacts across confidentiality, integrity, and availability.

An unauthenticated attacker can exploit this vulnerability by crafting HTTP or HTTPS requests with forged cookies, provided they have prior knowledge of the target's FortiWeb serial number. Successful exploitation enables execution of arbitrary operations on the system, though it requires high attack complexity.

Mitigation details are outlined in the Fortinet PSIRT advisory available at https://fortiguard.fortinet.com/psirt/FG-IR-25-945. Security practitioners should consult this reference for patching instructions and workarounds applicable to affected versions.

EU & UK References

Vulnerability details

A reliance on cookies without validation and integrity checking vulnerability in Fortinet FortiWeb 8.0.0 through 8.0.1, FortiWeb 7.6.0 through 7.6.5, FortiWeb 7.4.0 through 7.4.10, FortiWeb 7.2.0 through 7.2.11, FortiWeb 7.0.0 through 7.0.11 may allow an unauthenticated attacker to execute arbitrary…

more

operations on the system via crafted HTTP or HTTPS request via forged cookies, requiring prior knowledge of the FortiWeb serial number.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

The vulnerability allows unauthenticated attackers to exploit a public-facing web application firewall (FortiWeb) via forged cookies, enabling arbitrary system operations, directly mapping to T1190: Exploit Public-Facing Application.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2024-55594Same product: Fortinet Fortiweb
CVE-2025-52970Same product: Fortinet Fortiweb
CVE-2025-59719Same product: Fortinet Fortiweb
CVE-2026-40688Same product: Fortinet Fortiweb
CVE-2025-66178Same product: Fortinet Fortiweb
CVE-2023-42784Same product: Fortinet Fortiweb
CVE-2024-55597Same product: Fortinet Fortiweb
CVE-2024-50567Same product: Fortinet Fortiweb
CVE-2024-50569Same product: Fortinet Fortiweb
CVE-2026-24017Same product: Fortinet Fortiweb

Affected Assets

fortinet
fortiweb
7.0.0 — 7.0.11 · 7.2.0 — 7.2.11 · 7.4.0 — 7.4.10

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly addresses the core vulnerability by requiring validation and integrity checks on information inputs such as cookies to prevent exploitation via forged values.

prevent

Enforces approved access authorizations, mitigating unauthorized arbitrary operations enabled by unvalidated forged cookies.

prevent

Provides mechanisms for session identifier authenticity and invalidation, reducing the risk of cookie forgery and session hijacking requiring serial number knowledge.

References