In worrying news for organisations relying on Fortinet FortiWeb products, the company has released emergency patches for two critical security weaknesses that hackers are already using in real-world attacks. These FortiWeb devices are special firewalls designed to protect web applications.
Critical Flaw Allowed Total Takeover
The most serious issue, CVE-2025-64446, is being exploited globally, with attack origins traced to the US, Europe, and Asia. This flaw is rated extremely high (9.8 out of 10) and has been active since early October 2025. It is a type of Path Traversal problem, which means attackers could trick the system into running files it shouldn’t.
What makes this flaw so bad is that it allows even a hacker who isn’t logged in (unauthenticated) to bypass security, create a new administrator account, and gain complete control over the device. The attacker could then disable security rules and possibly gain deeper network access.
Research firm Qualys analysed this threat, explaining that the attack cleverly combines two flaws to bypass the normal login process. The US CISA added this flaw to its KEV catalogue on November 14, 2025, demanding a fix by November 21, 2025.
Second Exploit Also Requires Immediate Fix
More recently, a second flaw, CVE-2025-58034, has also been confirmed as being actively exploited. This issue is an OS Command Injection vulnerability, which lets a logged-in (authenticated) attacker run unauthorised code on the system.
Although it is rated lower (6.7), its active exploitation is a serious concern. Jason McFadyen of Trend Micro’s Trend Research team is credited with the discovery. Due to the danger, CISA also added this flaw to its critical list on November 18, 2025, with a fix required by November 25, 2025.
What You Need to Do Now
Fortinet has released fixes, and CVE-2025-64446 was silently patched in version 8.0.2 on October 28, 2025, even though an official security alert was not released at that time.
Affected organisations must immediately update their FortiWeb versions. For example, if you are running version 8.0.1 or earlier, you must update to FortiWeb 8.0.2 or higher. If you are using the 7.6 branch, you must update to 7.6.6 to fix all recent issues (version 7.6.5 only fixed the older critical flaw). Updates are also available for versions in the 7.4, 7.2, and 7.0 branches.
As a necessary, temporary step, you should immediately disable the device’s management access from the public internet. Furthermore, organisations must check their system logs for any unauthorised administrator accounts, such as “Testpoint” or “trader,” which hackers have been observed creating since early October.