A suspected Fortinet FortiWeb zero-day is actively exploited, researchers warn

A suspected (but currently unidentified) zero-day vulnerability in Fortinet FortiWeb is being exploited by unauthenticated attackers to create new admin accounts on vulnerable, internet-facing devices.

Whether intentionally or accidentally, the vulnerability (or this specific path for triggering it) has been addressed in the latest FortiWeb version (8.0.2), Rapid7 researchers confirmed.

Exploitation in the wild

Exploitation attempts were first observed at the beginning of October by threat intelligence company Defused, after one of their honeypots had been targeted.

The now publicly available proof-of-concept exploit has been tested by Rapid7 and watchTowr researchers, and the latter have also published a script that can be used to detect if a specific FortiWeb is vulnerable to this authentication bypass flaw.

Fortinet hasn’t published a security advisory that might identify this vulnerability and has yet to officially comment on the matter.

What to do?

“Exploitation of this new vulnerability allows an attacker with no existing level of access to gain administrator-level access to the FortiWeb Manager panel and websocket command-line interface,” Rapid7 researchers explained.

To prevent exploitation, Fortinet customers using the web application firewall have been advised to either update to version 8.0.2 or remove their FortiWeb management interface from the public internet.

Those who haven’t done this since early October should also check for known indicators of compromise and for new, unknown admin user accounts and, if detected, should conduct a full incident investigation.

UPDATE (November 14, 2025, 02:35 a.m. ET):

Fortinet has released a security advisory detailing this actively exploited relative path traversal vulnerability, and confirmed that it has been silently patched in FortiWeb 8.0.2, 7.6.5, 7.4.10, 7.2.12, and 7.0.12.

The flaw has also received a unique identifier: CVE-2025-64446.

Some of these patched versions, including v8.0.2, were released several weeks after the first report of the vulnerability being under attack, but Fortinet apparently (and disappointingly) chose to keep quiet about it.

The security advisory released today confirms that “Fortinet has observed this to be exploited in the wild,” after many other security teams said the same thing.

CISA has added CVE-2025-64446 to its Known Exploited Vulnerability catalog and has given US civilian federal agencies a week to apply mitigations per vendor instructions.

FortiWeb users that can’t update or can’t do it immediately should disable HTTP or HTTPS for internet facing interfaces (since the flaw can be triggered via specially crafted HTTP or HTTPS requests).

“It is recommended that customers review their configuration for and review logs for unexpected modifications, or the addition of unauthorized administrator accounts,” Fortinet advised.

Subscribe to our breaking news e-mail alert to never miss out on the latest breaches, vulnerabilities and cybersecurity threats. Subscribe here!