A vulnerability in Fortinet’s FortiWeb web application firewall has been actively exploited before the vendor issued a fix. This has prompted urgent patching advisories from both Fortinet and the US Cybersecurity and Infrastructure Security Agency (CISA).
CVE-2025-64446 is a remote, unauthenticated relative path traversal flaw in the FortiWeb web application firewall that enables remote attackers to run admin commands using specially-crafted HTTP/HTTPS requests. CVE-2025-64446 has a CVSS base score of 9.1.
While Fortinet did state that they were aware that there had been exploitation prior to the release of patches, they did not identify any other details about those campaigns. Expert Insights contacted Fortinet for further statements on this topic but received no response at the time of publication.
CVE-2025-64446 affects all versions of FortiWeb version 7.0 through 7.0.11; version 7.2.0 through 7.2.11; version 7.4.0 through 7.4.9; version 7.6.0 through 7.6.4; and version 8.0.0 through 8.0.1. Patches have been included in versions 7.0.12, 7.2.12, 7.4.10, 7.6.5, and 8.0.2.
CISA added the bug to its Known Exploited Vulnerabilities (KEV) catalog on Nov. 14, 2025.
Security Analysis and Mitigation
Multiple security firms, including WatchTowr, PwnDefend, and Rapid7, reported observing widespread attacks targeting unpatched FortiWeb systems. Their research showed that attackers used the flaw to create unauthorized administrator accounts, which gave them complete control over devices.
In addition, Rapid7 also observed that a threat actor posted an advertisement for an alleged FortiWeb “zero day” on a darknet forum on Nov. 6, 2025. However, the researchers were not able to conclude that the posting was associated with CVE-2025-64446.
According to WatchTowr’s technical analysis, the issue effectively combined a path traversal flaw with an authentication bypass. The firm believes that Fortinet likely resolved the bug quietly in October when it became aware that it had been exploited in real-world scenarios.
Fortinet recommended that customers who cannot apply patches right away should block HTTP/HTTPS access to internet-facing interfaces, which will reduce, but not eliminate, risk.
Once patched, organizations should evaluate their configurations and logs for any unusual changes or the presence of suspicious administrator accounts.
