CISA has issued an urgent alert about a critical vulnerability in Fortinet’s FortiWeb Web Application Firewall (WAF), actively exploited by threat actors to seize administrative control of affected systems.
Tracked as CVE-2025-64446, the flaw stems from a relative path traversal issue (CWE-23) that enables unauthenticated attackers to execute arbitrary administrative commands through specially crafted HTTP or HTTPS requests.
Added to CISA’s Known Exploited Vulnerabilities (KEV) catalog on November 14, 2025, the vulnerability carries a due date of November 21 for federal agencies to apply mitigations or discontinue use.
Fortinet’s advisory (FG-IR-25-910) confirms the issue affects multiple FortiWeb versions, including those running firmware up to 7.4.7 and 7.6.5. Attackers can exploit it without authentication, potentially leading to complete system compromise, data exfiltration, or deployment of malware.
While it’s unknown whether the vulnerability has been tied to ransomware campaigns, security researchers have reported real-world exploitation in the wild targeting organizations in sectors like finance and healthcare.
FortiWeb WAF Vulnerability Exploited in the Wild
“This path traversal bug is a classic but dangerous oversight in file handling,” said cybersecurity expert Maria Chen, a vulnerability researcher at a leading threat intelligence firm. “Unauthenticated access to admin functions turns a WAF meant to protect web apps into a backdoor for attackers.”
Fortinet urges immediate patching to the latest versions, such as 7.4.8 or 7.6.6, and recommends restricting administrative access via network segmentation.
For cloud-deployed instances, CISA advises adherence to Binding Operational Directive (BOD) 22-01, which mandates timely remediation of vulnerabilities in federal systems.
Organizations unable to patch should isolate affected devices and monitor for indicators of compromise, such as unusual HTTP traffic patterns or unauthorized command execution.
The flaw highlights ongoing risks in network security appliances, which are prime targets for advanced persistent threats (APTs). As exploitation ramps up, experts warn that unpatched FortiWeb deployments could amplify broader attack chains, such as lateral movement in enterprise networks. Fortinet has not disclosed the initial discovery method but emphasizes that no customer data was breached during its investigation.
With the patch deadline looming, affected users are racing to update. Delays could expose sensitive infrastructure to persistent threats, underscoring the need for proactive vulnerability management in an era of zero-day exploits.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
