Fortinet on Friday warned of an exploited FortiWeb vulnerability that allows remote, unauthenticated attackers to gain administrative access to the web application firewall appliances.
Tracked as CVE-2025-64446 (CVSS score of 9.1), the bug is described as a relative path traversal issue that can be exploited via crafted HTTP or HTTPS requests to execute administrative commands on the system.
“Fortinet has observed this to be exploited in the wild,” the company noted in its advisory, without providing additional details on the attack(s).
The flaw impacts FortiWeb versions 8.0.0 through 8.0.1, 7.6.0 through 7.6.4, 7.4.0 through 7.4.9, 7.2.0 through 7.2.11, and 7.0.0 through 7.0.11. The vulnerability was resolved in FortiWeb versions 8.0.2, 7.6.5, 7.4.10, 7.2.12, and 7.0.12.
On Friday, the US cybersecurity agency CISA added CVE-2025-64446 to its Known Exploited Vulnerabilities (KEV) catalog, urging federal agencies to address it within a week.
Per Binding Operational Directive (BOD) 22-01, federal agencies are required to resolve vulnerabilities newly added to the KEV list within three weeks. The shorter patching timeframe provided for the fresh bug underlines its importance.
The Fortinet and CISA warnings, however, come a bit late. On Thursday, multiple security firms warned of the in-the-wild exploitation of a vulnerability in FortiWeb version 8.0.1 and earlier appliances.
WatchTowr pointed out that the attacks were indiscriminately targeting FortiWeb appliances globally, while PwnDefend and Rapid7 linked the attacks to an exploit Defused observed on October 6. Defused published proof-of-concept (PoC) code based on the exploit.
Both PwnDefend and Rapid7 noted that the exploit allows attackers to create administrator accounts on vulnerable devices. On November 6, Rapid7 observed a threat actor offering an alleged zero-day exploit targeting FortiWeb on a dark web forum, but could not link it to the exploited zero-day.
According to watchTowr’s technical writeup, CVE-2025-64446 consists of two vulnerabilities, namely a path traversal and an authentication bypass. By creating an admin account, the attackers can fully compromise the targeted appliances.
Although it made no mention of the security defect in FortiWeb 8.0.2’s release notes, Fortinet likely silently patched the vulnerability after learning of its in-the-wild exploitation in October, watchTowr points out.
Responding to a SecurityWeek inquiry, Fortinet refrained from sharing details on the observed attacks or on when it learned of the flaw’s exploitation.
“We are aware of this vulnerability and activated our PSIRT response and remediation efforts as soon as we learned of this matter, and those efforts remain ongoing,” a Fortinet spokesperson said.
“We are communicating directly with affected customers to advise on any necessary recommended actions. We urge our customers to refer to the advisory and follow the guidance provided [in] FG-IR-25-910,” the spokesperson continued.
In the advisory, Fortinet recommends that customers disable HTTP/HTTPS for internet-accessible interfaces until they upgrade to a patched FortiWeb version.
After the upgrade has been performed, customers should review their configuration and logs for unexpected modifications, such as the presence of unauthorized administrator accounts.
Related: Cisco ISE, CitrixBleed 2 Vulnerabilities Exploited as Zero-Days: Amazon
Related: High-Severity Vulnerabilities Patched by Fortinet and Ivanti
Related: Cisco, Fortinet, Palo Alto Networks Devices Targeted in Coordinated Campaign
Related:Firefox 145 and Chrome 142 Patch High-Severity Flaws in Latest Releases
