CVE-2025-64471
Unknown
Unknown - Not Provided
BaseFortify
Publication date: 2025-12-09
Last updated on: 2025-12-10
Assigner: Fortinet, Inc.
Description
Description
A use of password hash instead of password for authentication vulnerability [CWE-836] vulnerability in Fortinet FortiWeb 8.0.0 through 8.0.1, FortiWeb 7.6.0 through 7.6.5, FortiWeb 7.4.0 through 7.4.10, FortiWeb 7.2.0 through 7.2.11, FortiWeb 7.0.0 through 7.0.11 may allow an unauthenticated attacker to use the hash in place of the password to authenticate via crafted HTTP/HTTPS requests
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| fortinet | fortiweb | 7.2.3 |
| fortinet | fortiweb | 7.0.6 |
| fortinet | fortiweb | 7.6.0 |
| fortinet | fortiweb | 7.2.6 |
| fortinet | fortiweb | 7.0.9 |
| fortinet | fortiweb | 7.2.4 |
| fortinet | fortiweb | 7.0.1 |
| fortinet | fortiweb | 7.4.8 |
| fortinet | fortiweb | 7.2.2 |
| fortinet | fortiweb | 7.4.9 |
| fortinet | fortiweb | 7.2.8 |
| fortinet | fortiweb | 7.4.0 |
| fortinet | fortiweb | 7.2.0 |
| fortinet | fortiweb | 7.6.3 |
| fortinet | fortiweb | 7.4.10 |
| fortinet | fortiweb | 7.4.4 |
| fortinet | fortiweb | 7.0.0 |
| fortinet | fortiweb | 7.0.8 |
| fortinet | fortiweb | 7.2.9 |
| fortinet | fortiweb | 7.0.4 |
| fortinet | fortiweb | 7.6.4 |
| fortinet | fortiweb | 7.4.3 |
| fortinet | fortiweb | 7.0.2 |
| fortinet | fortiweb | 7.4.2 |
| fortinet | fortiweb | 7.4.7 |
| fortinet | fortiweb | 8.0.1 |
| fortinet | fortiweb | 7.2.5 |
| fortinet | fortiweb | 7.2.1 |
| fortinet | fortiweb | 7.2.7 |
| fortinet | fortiweb | 7.0.5 |
| fortinet | fortiweb | 7.0.3 |
| fortinet | fortiweb | 7.4.5 |
| fortinet | fortiweb | 7.6.1 |
| fortinet | fortiweb | 7.6.2 |
| fortinet | fortiweb | 7.4.1 |
| fortinet | fortiweb | 7.0.10 |
| fortinet | fortiweb | 8.0.0 |
| fortinet | fortiweb | 7.2.10 |
| fortinet | fortiweb | 7.0.7 |
| fortinet | fortiweb | 7.2.11 |
| fortinet | fortiweb | 7.0.11 |
| fortinet | fortiweb | 7.4.6 |
| fortinet | fortiweb | From 7.6.0 (inc) to 7.6.4 (exc) |
Helpful Resources
Exploitability
CWE
KEV
| CWE ID | Description |
|---|---|
| CWE-836 | The product records password hashes in a data store, receives a hash of a password from a client, and compares the supplied hash to the hash obtained from the data store. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability involves the use of a password hash instead of the actual password for authentication in certain versions of Fortinet FortiWeb. An unauthenticated attacker can exploit this by using the password hash in place of the password through specially crafted HTTP or HTTPS requests to gain authentication.
How can this vulnerability impact me? :
The vulnerability may allow an unauthenticated attacker to authenticate to the affected FortiWeb systems without knowing the actual password, potentially leading to unauthorized access and control over the system.
Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70