Researchers warn that a critical vulnerability in Fortinet FortiWeb is under active exploitation, amid criticism that the company issued a silent patch for the flaw in late October.
The relative path traversal vulnerability, tracked as CVE-2025-64446, can allow an unauthenticated attacker to execute administrative commands on a system by using specially crafted HTTP or HTTPS requests. The vulnerability has a severity score of 9.1.
The Cybersecurity and Infrastructure Security Agency on Friday added the flaw to its Known Exploited Vulnerabilities catalog and also released additional guidance late Friday afternoon.
CISA released additional guidance warning security teams to disable HTTP or HTTPS for internet-facing interfaces if they cannot immediately upgrade. Security teams should also inspect logs for any evidence of unauthorized administrator accounts being created.
CISA asked security teams to report any confirmed incidents or unusual activity to its operations center.
According to multiple researchers, the patched version 8.0.2 was released on Oct. 28, but the company did not release official guidance or a CVE until this past Friday.
The vulnerability “allows attackers to perform actions as a privileged user,” Benjamin Harris, founder and CEO of watchTowr told Cybersecurity Dive. Exploitation activity has been focused on “adding a new administrator account as a basic persistence mechanism,” Harris added.
Researchers at Shadowserver said they are seeing a few hundred cases globally, but they cannot get a clear picture of vulnerable instances at the moment, due to their inability to get an accurate estimate in a safe, non-intrusive manner.
A firm called Defused published a proof of concept on Oct. 6, and warned the exploit might be a variant of CVE-2022-40684.
Fortinet on Friday confirmed it was aware of the vulnerability, saying it activated its PSIRT remediation and response efforts as soon as it learned of the activity.
“Fortinet diligently balances our commitment to the security of our customers and our culture of responsible transparency,” a spokesperson from Fortinet told Cybersecurity Dive. “With that goal and principle top of mind, we are communicating directly with affected customers to advise on any necessary recommended actions.”
The company did not respond when specifically questioned on research concerns about silent patching.
Caitlin Condon, VP of security research at VulnCheck, noted that Fortinet is a CVE Numbering Authority, but has a prior history of issuing silent patches, and noted the practice creates enormous confusion in the security community and can give adversaries an advantage.
“Unfortunately, Fortinet also has a demonstrable history of silently patching security vulnerabilities before publishing CVEs or public advisories,” Condon said, “including in multiple cases where exploitation began before vulnerabilities were publicly announced.”