• Cyber Syrup
  • Posts
  • Fortinet Warns of Active Exploitation of Critical FortiWeb Vulnerability

Fortinet Warns of Active Exploitation of Critical FortiWeb Vulnerability

Fortinet has issued an urgent security advisory regarding a critical vulnerability in its FortiWeb Web Application Firewall

November 17, 2025

In partnership with

CYBER SYRUP
Delivering the sweetest insights on cybersecurity.

Fuel your business brain. No caffeine needed.

Consider this your wake-up call.

Morning Brew}} is the free daily newsletter that powers you up with business news you’ll actually enjoy reading. It’s already trusted by over 4 million people who like their news with a bit more personality, pizazz — and a few games thrown in. Some even come for the crosswords and quizzes, but leave knowing more about the business world than they expected.

Quick, witty, and delivered first thing in the morning, Morning Brew takes less time to read than brewing your coffee — and gives your business brain the boost it needs to stay sharp and in the know.

Fortinet Warns of Active Exploitation of Critical FortiWeb Vulnerability

Fortinet has issued an urgent security advisory regarding a critical vulnerability in its FortiWeb Web Application Firewall (WAF) appliances, warning that threat actors are actively exploiting the flaw to gain unauthorized administrative access.

Overview of CVE-2025-64446

Tracked as CVE-2025-64446 and assigned a CVSS score of 9.1, the vulnerability is described as a relative path traversal flaw. By sending specially crafted HTTP or HTTPS requests, remote and unauthenticated attackers can execute administrative commands on affected systems.

Fortinet confirmed that this vulnerability is already being exploited in real-world attacks, although details regarding threat actor activity remain undisclosed.

Affected Versions and Patches

The flaw impacts multiple FortiWeb release branches:

  • 8.0.0 – 8.0.1

  • 7.6.0 – 7.6.4

  • 7.4.0 – 7.4.9

  • 7.2.0 – 7.2.11

  • 7.0.0 – 7.0.11

Fortinet has delivered patches in the following versions:

  • 8.0.2

  • 7.6.5

  • 7.4.10

  • 7.2.12

  • 7.0.12

Administrators are urged to upgrade immediately.

CISA Issues Emergency Directive

On the same day as Fortinet’s advisory, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added the vulnerability to its Known Exploited Vulnerabilities (KEV) catalog.

In a rare move underscoring the severity of the issue, CISA set a one-week remediation deadline—far shorter than the standard three-week window outlined in Binding Operational Directive 22-01.

Evidence of Widespread Exploitation

Security firms including WatchTowr, PwnDefend, and Rapid7 independently observed active exploitation starting in early October:

  • Attackers are scanning the internet and compromising FortiWeb appliances globally.

  • Exploits allow attackers to create new administrator accounts, effectively taking full control of the device.

  • A zero-day exploit was also advertised on a dark web forum on November 6, although analysts cannot confirm whether it is linked.

Technical analysis shows CVE-2025-64446 is actually a combination of path traversal and authentication bypass vulnerabilities, making exploitation straightforward and highly impactful.

Researchers note that Fortinet appears to have patched the issue silently in version 8.0.2 once exploitation was discovered in October.

Recommended Mitigations

Fortinet advises administrators to:

  1. Immediately upgrade to a patched FortiWeb release.

  2. Disable HTTP/HTTPS access on any internet-facing interface until the upgrade is completed.

  3. Audit configurations and logs for:

    • New or unauthorized admin accounts

    • Unexpected system modifications

    • Anomalous access patterns

Fortinet has activated its internal incident response process and is notifying affected customers directly.