Fortinet on Friday warned of an exploited FortiWeb vulnerability that permits distant, unauthenticated attackers to realize administrative entry to the net software firewall home equipment.
Tracked as CVE-2025-64446 (CVSS rating of 9.1), the bug is described as a relative path traversal situation that may be exploited through crafted HTTP or HTTPS requests to execute administrative instructions on the system.
“Fortinet has noticed this to be exploited within the wild,” the corporate famous in its advisory, with out offering extra particulars on the assault(s).
The flaw impacts FortiWeb variations 8.0.0 by 8.0.1, 7.6.0 by 7.6.4, 7.4.0 by 7.4.9, 7.2.0 by 7.2.11, and seven.0.0 by 7.0.11. The vulnerability was resolved in FortiWeb variations 8.0.2, 7.6.5, 7.4.10, 7.2.12, and seven.0.12.
On Friday, the US cybersecurity company CISA added CVE-2025-64446 to its Recognized Exploited Vulnerabilities (KEV) catalog, urging federal businesses to deal with it inside every week.
Per Binding Operational Directive (BOD) 22-01, federal businesses are required to resolve vulnerabilities newly added to the KEV checklist inside three weeks. The shorter patching timeframe supplied for the recent bug underlines its significance.
The Fortinet and CISA warnings, nevertheless, come a bit late. On Thursday, a number of safety companies warned of the in-the-wild exploitation of a vulnerability in FortiWeb model 8.0.1 and earlier home equipment.
WatchTowr identified that the assaults had been indiscriminately concentrating on FortiWeb home equipment globally, whereas PwnDefend and Rapid7 linked the assaults to an exploit Defused noticed on October 6. Defused printed proof-of-concept (PoC) code based mostly on the exploit.
Each PwnDefend and Rapid7 famous that the exploit permits attackers to create administrator accounts on weak units. On November 6, Rapid7 noticed a menace actor providing an alleged zero-day exploit concentrating on FortiWeb on a darkish net discussion board, however couldn’t hyperlink it to the exploited zero-day.
In response to watchTowr’s technical writeup, CVE-2025-64446 consists of two vulnerabilities, specifically a path traversal and an authentication bypass. By creating an admin account, the attackers can totally compromise the focused home equipment.
Though it made no point out of the safety defect in FortiWeb 8.0.2’s launch notes, Fortinet doubtless silently patched the vulnerability after studying of its in-the-wild exploitation in October, watchTowr factors out.
Responding to a SecurityWeek inquiry, Fortinet kept away from sharing particulars on the noticed assaults or on when it discovered of the flaw’s exploitation.
“We’re conscious of this vulnerability and activated our PSIRT response and remediation efforts as quickly as we discovered of this matter, and people efforts stay ongoing,” a Fortinet spokesperson stated.
“We’re speaking straight with affected prospects to advise on any crucial beneficial actions. We urge our prospects to seek advice from the advisory and observe the steering supplied [in] FG-IR-25-910,” the spokesperson continued.
Within the advisory, Fortinet recommends that prospects disable HTTP/HTTPS for internet-accessible interfaces till they improve to a patched FortiWeb model.
After the improve has been carried out, prospects ought to evaluate their configuration and logs for surprising modifications, such because the presence of unauthorized administrator accounts.
Associated: Cisco ISE, CitrixBleed 2 Vulnerabilities Exploited as Zero-Days: Amazon
Associated: Excessive-Severity Vulnerabilities Patched by Fortinet and Ivanti
Associated: Cisco, Fortinet, Palo Alto Networks Gadgets Focused in Coordinated Marketing campaign
Associated:Firefox 145 and Chrome 142 Patch Excessive-Severity Flaws in Newest Releases
