Security researchers warn that two recently disclosed vulnerabilities in Fortinet FortiWeb can be exploited in attacks targeting earlier, unsupported versions of the web application firewall product.
Fortinet in November confirmed that a relative path traversal vulnerability, tracked as CVE-2025-64446, and an operating system command injection vulnerability, tracked as CVE-2025-58034, were being exploited in the wild.
However, researchers at Rapid7 on Monday said the vulnerabilities were found in earlier versions of FortiWeb than previously known.
Fortinet’s guidance to address CVE-2025-64446 said versions 7.0.0 to 7.0.11 and higher all the way up to versions 8.0.0 to 8.0.1 were vulnerable.
Stephen Fewer, principal security researcher at Rapid7, found that older, unsupported versions of FortiWeb 6.x were also vulnerable to both CVE-2025-64446 and CVE 2025-58034.
Rapid7 researchers said they have not directly seen threat activity targeting earlier versions of FortiWeb, but they have notified customers and they are aware that the Cybersecurity and Infrastructure Security Agency adding the flaws to the Known Exploited Vulnerabilities catalog.
Fortinet had previously come under widespread criticism for issuing a silent patch following initial disclosures of CVE-2025-64446 in October. A firm called Defused in early October published a blog about suspicious activity.
The silent patch essentially meant the company issued a patch without providing official guidance or a CVE identifier. Therefore security teams at companies using the product lacked instructions on what to look for. They didn’t know what the actual risk was or how to prioritize mitigation efforts.
“In this case, we saw exploitation in the wild before CVEs were even issued, which is a huge kneecap for defenders,” Ryan Emmons, staff security researcher at Rapid7, told Cybersecurity Dive. “Many of the processes and triage steps that are taken when new vulnerabilities come out rely on those CVE identifiers.”