The vulnerability, a nasty relative path traversal issue, allows attackers to craft malicious HTTP or HTTPS requests that execute administrative commands. Imagine someone slipping a forged ID past the bouncer and ordering everyone’s drinks. Fortinet itself acknowledged active exploitation, issuing an advisory without divulging specifics of the attacks.
The affected FortiWeb versions read like a laundry list of recent releases:
- 8.0.0 through 8.0.1,
- 7.6.0 through 7.6.4,
- 7.4.0 through 7.4.9,
- 7.2.0 through 7.2.11, and
- 7.0.0 through 7.0.11.
The good news? Fixes are available in versions 8.0.2, 7.6.5, 7.4.10, 7.2.12, and 7.0.12. Upgrade now, thank us later.
The US Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2025-64446 to its Known Exploited Vulnerabilities (KEV) catalog, lighting a fire under federal agencies to remediate the flaw within a week. That’s a significantly shorter timeframe than the usual three weeks mandated by Binding Operational Directive (BOD) 22-01, underscoring the severity of the threat.
The timeline gets a bit murky. While Fortinet issued its warning on Friday, multiple security firms, including WatchTowr, PwnDefend, and Rapid7, flagged active exploitation of the vulnerability in FortiWeb version 8.0.1 and earlier on Thursday. Was this a zero-day exploit? The evidence suggests a strong possibility.
WatchTowr pointed out the indiscriminate nature of the attacks, targeting FortiWeb appliances globally. PwnDefend and Rapid7 linked the attacks to an exploit Defused observed on October 6, with Defused even publishing proof-of-concept (PoC) code.
The Dark Web Angle
Adding another layer of intrigue, Rapid7 observed a threat actor offering an alleged zero-day exploit targeting FortiWeb on a dark web forum on November 6. While a direct link to the exploited vulnerability remains unconfirmed, the timing is certainly suspicious.
According to WatchTowr’s technical writeup, CVE-2025-64446 comprises both a path traversal and an authentication bypass. Together, they allow attackers to fully compromise the targeted appliances.
Interestingly, Fortinet‘s FortiWeb 8.0.2 release notes make no mention of the security defect. WatchTowr speculates that Fortinet likely patched the vulnerability silently after discovering its exploitation in October.
When SecurityWeek inquired, Fortinet declined to provide details on the attacks or the timeline of their awareness. “We are aware of this vulnerability and activated our PSIRT response and remediation efforts as soon as we learned of this matter, and those efforts remain ongoing,” a Fortinet spokesperson stated.
The spokesperson continued, “We are communicating directly with affected customers to advise on any necessary recommended actions. We urge our customers to refer to the advisory and follow the guidance provided [in] FG-IR-25-910.”
Fortinet advises disabling HTTP/HTTPS for internet-accessible interfaces until the upgrade is complete. Post-upgrade, a thorough review of configuration and logs for unauthorized modifications, such as rogue administrator accounts, is crucial.
This incident serves as a stark reminder of the constant cat-and-mouse game in cybersecurity. The race to identify, exploit, and patch vulnerabilities is relentless, and vigilance is paramount. Stay patched, stay informed, and stay one step ahead.
