Fortinet Patches Actively Exploited FortiWeb Zero-Day

Fortinet has urgently addressed a critical zero-day vulnerability within its FortiWeb web application firewall, a flaw that is currently undergoing widespread active exploitation. The company quietly released a patch following initial reports that unidentified attackers were leveraging a path traversal issue to establish new administrative accounts on devices accessible from the internet.

Early indicators of these attacks emerged on October 6th, when the threat intelligence group Defused identified the activity. They published a proof-of-concept exploit, noting that an unknown method, potentially a variant of a previous vulnerability, was being used. Attackers were sending specially crafted HTTP POST requests to a specific Fortinet endpoint, enabling them to create local administrator accounts without any authentication. Later, security researchers at watchTowr Labs demonstrated their own exploit and released a diagnostic tool named the “FortiWeb Authentication Bypass Artifact Generator” to assist security teams in identifying potentially compromised systems.

According to cybersecurity firm Rapid7, the vulnerability impacts FortiWeb versions 8.0.1 and all earlier releases. The company confirmed that the publicly available exploit code becomes ineffective once systems are updated to version 8.0.2. Fortinet has now formally disclosed that attackers are actively exploiting this path confusion vulnerability, officially cataloged as CVE-2025-64446. This security hole resides in the FortiWeb graphical user interface component and permits unauthenticated individuals to run administrative commands on vulnerable systems through manipulated HTTP or HTTPS requests.

In a security advisory issued on Friday, Fortinet explicitly stated it has observed active exploitation of this flaw in real-world attacks. The patch was integrated into FortiWeb version 8.0.2, which was made available on October 28th. This release came approximately three weeks after the first reports of CVE-2025-64446 being actively used by threat actors. The company has provided a clear upgrade path for all affected versions, urging users to move to the latest patched releases to secure their environments.

The urgency of the situation was further underscored when the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2025-64446 to its catalog of known exploited vulnerabilities. The agency has mandated that all federal civilian executive branch agencies apply the necessary patches by November 21st, highlighting that such vulnerabilities are a common and high-risk vector for malicious cyber activity.

For administrators unable to perform an immediate upgrade, Fortinet has recommended specific mitigation steps. The most crucial interim action is to disable HTTP and HTTPS access for any management interfaces facing the public internet, ensuring that administrative access is strictly limited to trusted internal networks. The company also advises customers to thoroughly inspect their system configurations and scrutinize logs for any signs of newly created, unauthorized administrator accounts or other suspicious configuration changes.

This incident is part of a broader pattern of security challenges for Fortinet. Just a couple of months prior, in August, the company had to patch a critical command injection flaw, tracked as CVE-2025-25256, in its FortiSIEM security monitoring product. That emergency patch was released one day after cybersecurity firm GreyNoise reported a massive surge in brute-force attacks targeting Fortinet’s SSL VPNs.

(Source: Bleeping Computer)