CVE-2025-64471

Summary

A use of password hash instead of password for authentication vulnerability [CWE-836] vulnerability in Fortinet FortiWeb 8.0.0 through 8.0.1, FortiWeb 7.6.0 through 7.6.5, FortiWeb 7.4.0 through 7.4.10, FortiWeb 7.2.0 through 7.2.11, FortiWeb 7.0.0 through 7.0.11 may allow an unauthenticated attacker to use the hash in place of the password to authenticate via crafted HTTP/HTTPS requests

Affected Software

VendorProductVersion RangeStatus
FortinetFortiWeb8.0.0 <= 8.0.1affected
FortinetFortiWeb7.6.0 <= 7.6.5affected
FortinetFortiWeb7.4.0 <= 7.4.10affected
FortinetFortiWeb7.2.0 <= 7.2.11affected
FortinetFortiWeb7.0.0 <= 7.0.11affected

Weaknesses

  • CWE-836: Escalation of privilege

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References