- CVE-2025-64446 allows unauthorized attackers to execute admin commands on FortiWeb WAF systems
- Actively exploited in nature; affects version 7.0.0-8.0.1, patched in 8.0.2
- CISA added it to KEV; Fortinet encourages immediate patching or disabling of Internet-facing HTTP/HTTPS interfaces
Fortinet has released a patch for a critical vulnerability in its FortiWeb web application firewall (WAF) and has urged customers to update immediately as the flaw is being actively exploited in the wild.
The company published a new security advisory saying it addressed a relative path traversal vulnerability that allows unauthorized threat actors to execute administrative commands on the system.
The bug is now tracked as CVE-2025-64446 and was given a severity score of 9.8/10, meaning it is critical and needs to be addressed immediately.
Abusing the zero day
The bug affects several versions of WAF:
8.0.0 to 8.0.1,
7.6.0 to 7.6.4,
7.4.0 to 7.4.9,
7.2.0 to 7.2.11,
7.0.0 to 7.0.11
It was fixed in version 8.0.2, security researchers confirmed.
The fix should be applied without hesitation, Fortinet added, saying the flaw was “observed to be exploited in the wild.”
It actually is, as several security outfits have been warning about this for weeks. In early October 2025, security researchers from Defused published a Proof-of-Concept (PoC) for an “unknown Fortinet exploit”, followed by a demo exploit released by watchTowr Labs.
Those who cannot apply the fix immediately should disable HTTP or HTTPS for Internet-facing interfaces, Fortinet advised. “If the HTTP/HTTPS Management interface is only internally accessible according to best practices, the risk is significantly reduced.” After patching, users should also review their configuration and review logs for unexpected changes and to see if new administrator accounts have been added.
The flaw was also added to CISA’s Known Exploited Vulnerabilities (KEV) catalog, meaning federal agencies have until November 21 to fix or stop using Fortinet’s WAF.
“This type of vulnerability is a frequent attack vector for malicious cyber actors and poses significant risks to the federal enterprise,” CISA warned.
Via Bleeping Computer
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews and opinions in your feeds. Be sure to click the Follow button!
And of course you can too follow TechRadar on TikTok for news, reviews, video unboxings, and get regular updates from us on WhatsApp also.
