Login
iscover
Share this article on:
Powered by
MOMENTUM
MEDIA
Powered by MOMENTUMMEDIA
Security experts warned of exploitation last week, and now CISA and Fortinet have both released advisories regarding CVE-2025-64446.
Analysts at cyber security firm watchTowr sounded the alarm late last week, warning that they had observed active exploitation of an authentication bypass vulnerability in Fortinet’s FortiWeb products.
“Oh look at that, it’s a Thursday! And in continuing with Thursday’s, the watchTowr team is seeing active, indiscriminate in-the-wild exploitation of what appears to be a silently patched vulnerability in Fortinet’s FortiWeb product,” watchTowr’s CEO, Benjamin Harris, said on 14 November.
“Patched in version 8.0.2, the vulnerability allows attackers to perform actions as a privileged user – with in-the-wild exploitation focusing on adding a new administrator account as a basic persistence mechanism for the attackers.”
At the time, watchTowr was waiting for a response from Fortinet, but warned that any appliances that remained unpatched were likely already compromised.
According to Rapid7, exploitation has been occurring since October. Incidents of exploitation may have increased from November 6, however.
"On November 6, 2025, Rapid7 Labs observed that an alleged zero-day exploit targeting FortiWeb was published for sale on a popular black hat forum," Rapid7 said in a recent blog post.
"While it is not clear at this time if this is the same exploit as the one described above, the timing is coincidental."
Over the weekend, Fortinet acknowledged the vulnerability and its active exploitation, with the US Cybersecurity and Infrastructure Security Agency (CISA) getting into action, both adding the vulnerability – now disclosed as CVE-2025-64446 – to its Known Exploited Vulnerabilities Catalog and sharing Fortinet’s advisory.
“CISA is aware of exploitation of a newly disclosed vulnerability, CVE-2025-64446, in Fortinet FortiWeb, a web application firewall,” CISA said in a 15 November statement.
“CVE-2025-64446 is a relative path traversal vulnerability CWE-23: Relative Path Traversal that may allow an unauthenticated malicious actor to execute administrative commands on a system via specially crafted HTTP or HTTPS requests.”
The issue is present in the following versions of FortiWeb products:
Both Fortinet and CISA recommend immediately upgrading impacted systems, with those who cannot update warned to disable HTTP or HTTPS for internet-facing interfaces. CISA warned, however, that while that course of action may reduce risk, it does not eliminate it entirely.
“Upgrading the affected systems remains essential and is the only way to fully remediate this vulnerability,” CISA said.
You can read Fortinet's advisory here, and watchTowr’s full breakdown of the vulnerability here.
UPDATED 17/11/25 to add Rapid7 commentary.
David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.
Be the first to hear the latest developments in the cyber industry.
