Fortinet has released urgent security updates to address a critical vulnerability in its FortiWeb Web Application Firewall (WAF) that is being actively exploited in the wild.
Tracked as CVE-2025-64446, the flaw allows unauthenticated attackers to execute administrative commands and gain complete control of affected systems. The vulnerability has been assigned a critical severity rating with a CVSS score of 9.1 out of 10.
The security issue is a relative path traversal vulnerability (CWE-23) residing in the product’s graphical user interface (GUI). By sending a specially crafted HTTP or HTTPS request to a vulnerable device, an attacker can bypass access controls.
This allows them to execute arbitrary commands with the highest privileges, which could lead to the creation of unauthorized administrator accounts, data exfiltration, or complete system compromise.
Fortinet’s advisory confirms it has observed active exploitation of this vulnerability, making immediate patching a top priority for all customers.
The flaw affects multiple versions of FortiWeb, including versions 8.0, 7.6, 7.4, 7.2, and 7.0. Fortinet has made patches available for all affected branches and strongly advises administrators to upgrade to the latest secure versions as soon as possible.
The recommended versions are 8.0.2, 7.6.5, 7.4.10, 7.2.12, and 7.0.12 or above.
For organizations unable to apply the updates immediately, Fortinet recommends a temporary workaround.
Administrators should disable HTTP/HTTPS access to the management interface on all internet-facing interfaces. While this significantly reduces the attack surface, Fortinet stresses that this should only be a temporary measure until the system can be upgraded.
After patching, it is crucial for administrators to audit their systems for any signs of compromise. This includes reviewing system logs for unexpected modifications and checking for any unauthorized local or admin accounts that may have been created by attackers.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.