- CVE-2025-64446 allows unauthenticated attackers to execute administration commands on FortiWeb WAF systems
- Actively exploited in the wild; affects versions 7.0.0–8.0.1, patched in 8.0.2
- CISA added it to KEV; Fortinet urges immediate patching or disabling of HTTP/HTTPS interfaces connected to the Internet
Fortinet has released a fix for a critical vulnerability in its FortiWeb web application firewall (WAF) and has urged customers to update immediately as the flaw is being actively exploited in the wild.
The company published a new security advisory, saying it addressed a relative path traversal vulnerability that allows unauthenticated threat actors to execute administrative commands on the system.
The bug is now tracked as CVE-2025-64446 and has been assigned a severity score of 9.8/10, meaning it is critical and should be fixed immediately.
Abusing the zero day
The bug affects several versions of the WAF:
8.0.0 to 8.0.1,
7.6.0 to 7.6.4,
7.4.0 to 7.4.9,
7.2.0 to 7.2.11,
7.0.0 to 7.0.11
It was fixed in version 8.0.2, security researchers confirmed.
The fix should be applied without hesitation, Fortinet added, stating that the bug was “observed to be exploited in the wild.”
Indeed, it is, as several security teams have been warning about this for weeks. In early October 2025, security researchers at Defused published a proof of concept (PoC) for an “unknown Fortinet exploit”, followed by an exploit demo published by watchTowr Labs.
Those who cannot apply the fix immediately should disable HTTP or HTTPS for interfaces connected to the Internet, Fortinet recommended. “If the HTTP/HTTPS management interface is only accessible internally per best practices, the risk is significantly reduced.” Additionally, after applying the patch, users should review their configuration and check the logs for unexpected modifications and to see if any new administrator accounts have been added.
The bug was also added to CISA’s catalog of known exploited vulnerabilities (KEV), meaning federal agencies have until November 21 to patch or stop using Fortinet’s WAF.
“This type of vulnerability is a frequent attack vector for malicious cyberattacks and poses significant risks to the federal enterprise,” CISA warned.
Through beepcomputer
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to receive news, reviews and opinions from our experts in your feeds. Be sure to click the Follow button!
And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form and receive regular updates from us on WhatsApp also.
