Vulnerabilities
Given the recent discovery of a critical vulnerability (CVE-2025-64446) in the Fortiweb appliances (exploitable via the management interfaces) I thought I would have a look at what other vulnerabilities have been discovered/published and what Proof of Concept (PoC) exploits exist in 2025.
I’ve used Grok to create a table:
| CVE ID | Description | Publication Date | Exploit PoC Release Date |
|---|---|---|---|
| CVE-2025-64446 | Relative path traversal allowing unauthenticated admin command execution via crafted HTTP/HTTPS requests | 2025-11-14 | 2025-11-14 |
| CVE-2025-25257 | SQL injection allowing unauthenticated execution of unauthorized SQL code/commands via crafted requests | 2025-07-08 | 2025-07-11 |
| CVE-2025-52970 | Improper handling of parameters enabling unauthenticated authentication bypass with non-public info | 2025-08-12 | N/A |
| CVE-2025-25254 | Path traversal allowing authenticated admin filesystem access/modification | 2025-04-08 | N/A |
| CVE-2025-27759 | OS command injection allowing authenticated privileged code/command execution via crafted CLI | 2025-08-12 | N/A |
| CVE-2025-53609 | Relative path traversal allowing authenticated arbitrary file read | 2025-09-09 | N/A |
| CVE-2025-47857 | OS command injection allowing privileged arbitrary code/command execution via crafted CLI | 2025-08-12 | N/A |
| CVE-2025-32766 | Stack-based buffer overflow allowing privileged arbitrary code execution via crafted CLI | 2025-08-12 | N/A |
CVE-2025-64446
This path traversal has been used to create an application administrator user to provide persistent access via the management web interface.
https://fortiguard.fortinet.com/psirt/FG-IR-25-910
This was published online on twitter from a honeypot network (Defused Cyber) on October 6th, however it was not appreciated this was a zero day until this week.
A full PoC was released by WatchTowr:
CVE-2025-25257
https://www.fortiguard.com/psirt/FG-IR-25-151
This was an SQL Injection (Unauthenticated) – this could be used potentially to create local users in the web application as a form of backdoor/persistent access. It could also have been used to drop a web shell etc.
