Fortinet has issued an urgent advisory warning of a critical vulnerability in its FortiWeb web application firewall (WAF) product, which attackers are actively exploiting in the wild.
Identified as CVE-2025-64446, the flaw stems from improper access control in the GUI component, allowing unauthenticated threat actors to execute administrative commands and potentially seize complete control of affected systems.
The vulnerability, classified as a relative path traversal issue (CWE-23), enables attackers to craft malicious HTTP or HTTPS requests that bypass authentication.
This could lead to the creation of unauthorized administrator accounts, granting full access to the device’s configuration and sensitive data. Fortinet’s Product Security Incident Response Team (PSIRT) confirmed active exploitation and urged immediate patching to mitigate risks.
With a CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), the flaw earns a “Critical” severity rating per National Vulnerability Database (NVD) standards. It affects multiple FortiWeb versions across branches 8.0, 7.6, 7.4, 7.2, and 7.0. Specifically:
- FortiWeb 8.0.0 through 8.0.1
- FortiWeb 7.6.0 through 7.6.4
- FortiWeb 7.4.0 through 7.4.9
- FortiWeb 7.2.0 through 7.2.11
- FortiWeb 7.0.0 through 7.0.11
Users should upgrade to the latest patched versions: 8.0.2 or above, 7.6.5 or above, 7.4.10 or above, 7.2.12 or above, or 7.0.12 or above, respectively. Detailed CVRF and CSAF files are available on FortiGuard for automated integration.
As a temporary workaround, Fortinet recommends disabling HTTP or HTTPS access on internet-facing interfaces, aligning with best practices that limit management access to internal networks only. This reduces exposure significantly but doesn’t eliminate the threat entirely.
Post-upgrade, organizations must audit configurations and logs for signs of compromise, such as unexpected admin account additions or modifications. Fortinet emphasized reviewing access patterns to detect any lingering unauthorized activity.
This incident highlights the persistent risks to network security appliances, which are prime targets for attackers seeking to pivot into broader environments.
As WAFs like FortiWeb protect web applications from threats, they can also introduce ironic backdoors through their own vulnerabilities. Security experts advise prioritizing patches for critical infrastructure, especially given the flaw’s ease of exploitation, as no privileges or user interaction are required.
Fortinet’s advisory, published today, underscores the company’s commitment to rapid disclosure. For more details, visit the FortiGuard PSIRT page. As exploitation continues, unpatched systems remain highly vulnerable.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
