Fortinet on Friday warned of an exploited FortiWeb vulnerability that permits distant, unauthenticated attackers to realize administrative entry to the net software firewall home equipment.
Tracked as CVE-2025-64446 (CVSS rating of 9.1), the bug is described as a relative path traversal challenge that may be exploited through crafted HTTP or HTTPS requests to execute administrative instructions on the system.
“Fortinet has noticed this to be exploited within the wild,” the corporate famous in its advisory, with out offering extra particulars on the assault(s).
The flaw impacts FortiWeb variations 8.0.0 via 8.0.1, 7.6.0 via 7.6.4, 7.4.0 via 7.4.9, 7.2.0 via 7.2.11, and seven.0.0 via 7.0.11. The vulnerability was resolved in FortiWeb variations 8.0.2, 7.6.5, 7.4.10, 7.2.12, and seven.0.12.
On Friday, the US cybersecurity company CISA added CVE-2025-64446 to its Identified Exploited Vulnerabilities (KEV) catalog, urging federal companies to handle it inside per week.
Per Binding Operational Directive (BOD) 22-01, federal companies are required to resolve vulnerabilities newly added to the KEV checklist inside three weeks. The shorter patching timeframe supplied for the contemporary bug underlines its significance.
The Fortinet and CISA warnings, nonetheless, come a bit late. On Thursday, a number of safety companies warned of the in-the-wild exploitation of a vulnerability in FortiWeb model 8.0.1 and earlier home equipment.
WatchTowr identified that the assaults have been indiscriminately concentrating on FortiWeb home equipment globally, whereas PwnDefend and Rapid7 linked the assaults to an exploit Defused noticed on October 6. Defused printed proof-of-concept (PoC) code based mostly on the exploit.Commercial. Scroll to proceed studying.
Each PwnDefend and Rapid7 famous that the exploit permits attackers to create administrator accounts on weak units. On November 6, Rapid7 noticed a risk actor providing an alleged zero-day exploit concentrating on FortiWeb on a darkish net discussion board, however couldn’t hyperlink it to the exploited zero-day.
Based on watchTowr’s technical writeup, CVE-2025-64446 consists of two vulnerabilities, particularly a path traversal and an authentication bypass. By creating an admin account, the attackers can totally compromise the focused home equipment.
Though it made no point out of the safety defect in FortiWeb 8.0.2’s launch notes, Fortinet probably silently patched the vulnerability after studying of its in-the-wild exploitation in October, watchTowr factors out.
Responding to a SecurityWeek inquiry, Fortinet avoided sharing particulars on the noticed assaults or on when it discovered of the flaw’s exploitation.
“We’re conscious of this vulnerability and activated our PSIRT response and remediation efforts as quickly as we discovered of this matter, and people efforts stay ongoing,” a Fortinet spokesperson stated.
“We’re speaking immediately with affected clients to advise on any vital really useful actions. We urge our clients to seek advice from the advisory and comply with the steerage supplied [in] FG-IR-25-910,” the spokesperson continued.
Within the advisory, Fortinet recommends that clients disable HTTP/HTTPS for internet-accessible interfaces till they improve to a patched FortiWeb model.
After the improve has been carried out, clients ought to assessment their configuration and logs for sudden modifications, such because the presence of unauthorized administrator accounts.
Associated: Cisco ISE, CitrixBleed 2 Vulnerabilities Exploited as Zero-Days: Amazon
Associated: Excessive-Severity Vulnerabilities Patched by Fortinet and Ivanti
Associated: Cisco, Fortinet, Palo Alto Networks Gadgets Focused in Coordinated Marketing campaign
Associated:Firefox 145 and Chrome 142 Patch Excessive-Severity Flaws in Newest Releases
