Active Exploit Targets Suspected FortiWeb Zero-Day
▼ Summary
– A zero-day vulnerability in Fortinet FortiWeb allows unauthenticated attackers to create admin accounts on internet-facing devices.
– The vulnerability has been silently patched in multiple FortiWeb versions including 8.0.2, with the flaw identified as CVE-2025-64446.
– Exploitation attempts were first observed in early October, and the vulnerability is now confirmed to be actively exploited in the wild.
– Fortinet recommends updating to patched versions or removing management interfaces from public internet access to prevent exploitation.
– CISA has added this vulnerability to its Known Exploited Vulnerabilities catalog, requiring federal agencies to apply mitigations within one week.
A newly discovered zero-day vulnerability in Fortinet’s FortiWeb web application firewall is currently under active exploitation, allowing attackers to establish unauthorized administrator accounts on internet-exposed systems. Security researchers have confirmed this critical authentication bypass flaw was silently addressed in FortiWeb version 8.0.2, though Fortinet initially provided no public disclosure about the security issue. The exploitation activity first emerged in early October when threat monitoring firm Defused detected attack attempts against one of their decoy systems.
Multiple cybersecurity teams, including those from Rapid7 and watchTowr, have since validated a publicly available proof-of-concept exploit. Rapid7 has additionally released a detection script that organizations can use to determine whether their FortiWeb installations remain vulnerable to this security gap. Despite the active attacks, Fortinet maintained silence for several weeks before finally acknowledging the threat.
This vulnerability enables completely unauthenticated attackers to gain administrative privileges across both the FortiWeb Manager panel and the websocket command-line interface. Such access could allow threat actors to reconfigure security settings, intercept sensitive data, or establish persistent backdoor access to protected networks. Organizations relying on FortiWeb for web application protection should treat this as a high-severity threat requiring immediate attention.
Security professionals recommend two primary defensive measures: either upgrade vulnerable FortiWeb installations to the patched version or completely remove the management interface from public internet accessibility. For systems that have remained unpatched since early October, administrators should urgently review system logs for indicators of compromise and scrutinize user accounts for any unauthorized administrative entries. Any detected compromise should trigger a comprehensive security investigation.
UPDATE (November 14, 2025):
Fortinet has now formally documented this security issue in an official advisory, identifying it as CVE-2025-64446, a relative path traversal vulnerability that attackers can trigger through specially crafted HTTP or HTTPS requests. The company confirmed the flaw affects multiple FortiWeb versions and has been quietly remediated in releases 8.0.2, 7.6.5, 7.4.10, 7.2.12, and 7.0.12. Notably, several of these patched versions became available weeks before Fortinet’s public acknowledgment, despite evidence of ongoing exploitation.
The Cybersecurity and Infrastructure Security Agency (CISA) has responded by adding this vulnerability to its Known Exploited Vulnerabilities catalog, mandating that federal civilian agencies implement protective measures within one week. For organizations unable to immediately apply updates, the temporary workaround involves disabling HTTP and HTTPS protocols on internet-facing interfaces until patches can be deployed. Fortinet additionally advises customers to audit their configurations and review system logs for any unexpected modifications or newly created administrator accounts that lack proper authorization.
(Source: HelpNet Security)
