Critical zero-day vulnerability in Fortinet FortiWeb actively exploited in the wild

Fortinet is reporting a critical security vulnerability in its FortiWeb web application firewall that has been actively exploited in the wild since early October 2025. 

The vulnerability is tracked as CVE-2025-64446 (CVSS score 9.1), a relative path traversal flaw that allows unauthenticated attackers to execute administrative commands on vulnerable FortiWeb systems through HTTP or HTTPS requests. It enables attackers to gain complete administrative control over affected FortiWeb appliances by creating unauthorized administrator accounts and allowing attackers to pivot into protected internal networks.

The vulnerability was first identified on October 6, 2025, when cybersecurity firm Defused published a proof-of-concept exploit after detecting attacks against their FortiWeb honeypots. At that time, the flaw had not been publicly disclosed nor assigned a CVE identifier. The attack exploits a path confusion weakness in FortiWeb's GUI component, specifically targeting the endpoint /api/v2.0/cmdb/system/admin?/../../../../../cgi-bin/fwbcgi to create local administrator-level accounts.

Security researchers at watchTowr Labs confirmed the vulnerability and developed additional detection tools to help organizations identify compromised systems. Despite the active exploitation observed throughout October, Fortinet remained silent about the vulnerability until November 14, 2025, when the company finally published an official security advisory acknowledging the in-the-wild exploitation.

FortiWeb versions affected by this vulnerability:

• FortiWeb 8.0: versions 8.0.0 through 8.0.1
• FortiWeb 7.6: versions 7.6.0 through 7.6.4
• FortiWeb 7.4: versions 7.4.0 through 7.4.9
• FortiWeb 7.2: versions 7.2.0 through 7.2.11
• FortiWeb 7.0: versions 7.0.0 through 7.0.11

Evidence suggests that Fortinet silently patched the vulnerability in FortiWeb version 8.0.2, released on October 28, 2025—three weeks after the initial reports of exploitation emerged. The company made no mention of the security fix in the release notes, leaving customers unaware of the critical flaw. 

At least 80,000 FortiWeb web application firewalls are estimated to be connected to the internet. Widespread and indiscriminate exploitation attempts continue to target vulnerable devices. The attacks primarily focus on establishing persistence by creating new administrative accounts with full system privileges.

Fortinet has released patches addressing CVE-2025-64446 in the following versions:

• FortiWeb 8.0.2 or above
• FortiWeb 7.6.5 or above
• FortiWeb 7.4.10 or above
• FortiWeb 7.2.12 or above
• FortiWeb 7.0.12 or above

On November 14, 2025, the US Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2025-64446 to its Known Exploited Vulnerabilities Catalog, ordering federal agencies to remediate the vulnerability by November 21, 2025. Given the timeline of exploitation dating back to early October and the availability of public proof-of-concept code, security experts warn that unpatched internet-facing FortiWeb appliances should be treated as potentially compromised.

Organizations that cannot immediately upgrade should disable HTTP or HTTPS access for all internet-facing management interfaces. Fortinet strongly recommends restricting management interface access to trusted internal networks only. After upgrading to patched versions, administrators must thoroughly review their FortiWeb configurations and audit system logs for any unexpected modifications or the addition of unauthorized administrator accounts. 

Organizations should search for suspicious POST requests to the vulnerable endpoint, base64-encoded CGIINFO headers in HTTP requests, unknown administrative accounts created since early October, new local user accounts with administrative privileges, and accounts with trust host ranges configured to allow access from any IP address.