Quick Takeaways
-
Critical Vulnerability: A serious flaw (CVE-2025-64446) in Fortinet’s FortiWeb can be exploited for remote code execution, affecting multiple versions of the web application firewall.
-
Immediate Action Required: With a CVSS score of 9.1, affected users must update to patched versions (e.g., FortiWeb 8.0.2 or higher) to avoid security risks.
-
Exploitation Method: An unauthenticated attacker can leverage relative path traversal to execute privileged commands without any authentication.
-
Silent Patch Concerns: The vulnerability was reportedly patched without prior disclosure, raising alarm among security experts about the practice of silently addressing security flaws.
[gptAs a technology journalist, write a short news story divided in two subheadings, at 12th grade reading level about ‘Critical Fortinet FortiWeb WAF Bug Exploited in Wild’in short sentences using transition words, in an informative and explanatory tone, from the perspective of an insightful Tech News Editor, ensure clarity, consistency, and accessibility. Use concise, factual language and avoid jargon that may confuse readers. Maintain a neutral yet engaging tone to provide balanced perspectives on practicality, possible widespread adoption, and contribution to the human journey. Avoid passive voice. The article should provide relatable insights based on the following information ‘
A critical Fortinet FortiWeb vulnerability capable of remote code execution has been exploited in the wild.
Fortinet on Nov. 14 disclosed CVE-2025-64446, a vulnerability in its Web application firewall (WAF) product FortiWeb. The flaw affects FortiWeb versions 8.0.0 through 8.0.1; 7.6.0 through 7.6.4; 7.4.0 through 7.4.9; 7.2.0 through 7.2.11; and 7.0.0 through 7.0.11. According to Fortinet’s PSIRT advisory, the bug is a relative path traversal vulnerability which “may allow an unauthenticated attacker to execute administrative commands on the system via crafted HTTP or HTTPS requests.”
Because the vulnerability is capable of remote code execution in a pre-authentication state on a target’s vulnerable FortiWeb instance, CVE-2025-64446 is considered a critical vulnerability (with a CVSS score of 9.1) and affected customers should patch the vulnerability immediately. For FortiWeb 8.0, customers should update to versions FortiWeb 8.0.2 or above; for 7.6, 7.6.5 or above; for 7.4, 7.4.10 or above; for 7.2, 7.2.12 or above; and for 7.0, 7.0.12 or above.
The vulnerability has also been added to the Cybersecurity and Infrastructure Security Agency’s (CISA) Known Exploited Vulnerabilities (KEV) catalog.
Nuts and Bolts of FortiWeb Flaw CVE-2025-64446
Huseyin Can Yuceel, security research lead at Picus Security, explained in a Nov. 17 blog post that CVE-2025-64446 “exists because FortiWeb’s GUI API handler does not properly validate or sanitize URL paths before processing them.”
“An attacker can craft a malicious HTTP request that abuses relative path traversal sequences to break out of the intended /api/v2.0/ routing path,” Yuceel wrote. “The path traversal provides access to a privileged CGI endpoint, and the header manipulation bypasses authentication entirely.”
Once exploited, the attacker can “create new accounts, modify configurations, or execute other privileged API commands.”
Although customers are advised to upgrade as soon as possible, if a customer cannot upgrade immediately, Fortinet recommends disabling HTTP or HTTPS for Internet-facing interfaces. “If the HTTP/HTTPS Management interface is internally accessible only as per best practice, the risk is significantly reduced,” the PSIRT advisory read.
Was CVE-2025-64446 Silently Patched?
The story of CVE-2025-64446 arguably began on Oct. 6, when security firm Defused published a post to X stating that the company detected a then unknown vulnerability in its FortiWeb Manager honeypot. Simo Kohonen, founder and CEO of the company, tells Dark Reading that “the POC was built based on our detection, so it is indeed the same vulnerability. We worked with [offensive security firm] Code White GMBH to validate the POC.”
Interestingly, CVE-2025-64446 was apparently not disclosed alongside FortiWeb version 8.0.2 or even mentioned in the initial release notes. Kohonen explains moreover that the exploit worked against 8.0.1 but not 8.0.2.
VulnCheck’s Caitlin Condon noted in a Nov. 14 blog post that security industry professionals had been sounding the alarm about CVE-2025-64446 in the days leading up to its disclosure, stating it was under active exploitation. She also criticized the apparent silent patching.
“Silently patching vulnerabilities is an established bad practice that enables attackers and harms defenders, particularly for devices and systems (including FortiWeb) that have previously been exploited in the wild,” she wrote. “We already know security by obscurity doesn’t work; adversaries monitor new product releases and are actively reverse engineering patches regardless of whether suppliers tell their customers about fixed vulnerabilities or not. When popular technology vendors fail to communicate new security issues, they are issuing an invitation to attackers while choosing to keep that same information from defenders.”
It is also possible, vendors like Watchtowr note on technical blogs, that Fortinet’s 8.0.2 patch unintentionally disarmed the exploit when it fixed the flaw. Dark Reading reached out to Fortinet for a response to assertions that the vulnerability was silently patched, but the vendor has not responded as of press time.
‘. Do not end the article by saying In Conclusion or In Summary. Do not include names or provide a placeholder of authors or source. Make Sure the subheadings are in between html tags of
[/gpt3]
Discover More Technology Insights
Explore the future of technology with our detailed insights on Artificial Intelligence.
Access comprehensive resources on technology by visiting Wikipedia.
CyberRisk-V1
