Over the last few days, multiple security companies, CERTs, and individuals have sounded alarms about active exploitation of a silently patched Fortinet FortiWeb vulnerability that is being leveraged to add new (administrative) users, enabling compromise of target devices. Fortinet has not published any information on why the vulnerability was silently patched and initially failed to receive a CVE or a security bulletin. The release notes for the latest version of FortiWeb (8.0.2) make no mention of a related issue or fix.
Update: As of 11 AM ET on November 14, Fortinet has published an advisory and assigned CVE-2025-64446 to a path confusion vulnerability in the Fortiweb GUI.
According to PwnDefend, adversaries are executing payloads via POST requests to the following endpoint: /api/v2.0/cmdb/system/admin%3F/../../../../../cgi-bin/fwbcgi
watchTowr has a write-up of the attack flow here, which looks to contain two discrete vulnerabilities rather than one.
ASM queries show varying volumes of FortiWeb exposed to the public internet, with Shodan finding a little under 300 instances (once honeypots have been filtered out) and FOFA showing just shy of 2,700 internet-exposed instances.
Mitigation
Per Fortinet's advisory for CVE-2025-64446, the vulnerability is a relative path traversal issue CWE-23 that allows unauthenticated attackers to execute administrative commands on the system via crafted HTTP or HTTPS requests. The following FortiWeb versions are affected:
- 8.0.0 through 8.0.1 (fixed in 8.0.2 or above)
- 7.6.0 through 7.6.4 (fixed in 7.6.5 or above)
- 7.4.0 through 7.4.9 (fixed in 7.4.10 or above)
- 7.2.0 through 7.2.11 (fixed in7.2.12 or above)
- 7.0.0 through 7.0.11 (fixed in 7.0.12 or above)
FortiWeb customers should update to a fixed version on an emergency basis, disabling HTTP or HTTPS for internet-facing FortiWeb interfaces until the update is complete. As always, patching does not eradicate prior compromise — organizations should examine their devices for signs of compromise, including any unsanctioned administrative or non-admin users. Since CVE-2025-64446 has been exploited in the wild for at least a month prior to public disclosure, organizations would be well-advised to invoke incident response playbooks. Shadowserver shows several hundred management interfaces exposed to the internet.
A Note on Silent Patching
We strongly suggest that FortiWeb customers reach out to the supplier for guidance on threat hunting and IOCs, as well as to request a formal response on why no CVE or advisory was issued when the vulnerability was first fixed. Silently patching vulnerabilities is an established bad practice that enables attackers and harms defenders, particularly for devices and systems (including FortiWeb) that have previously been exploited in the wild. We already know security by obscurity doesn't work; adversaries monitor new product releases and are actively reverse engineering patches regardless of whether suppliers tell their customers about fixed vulnerabilities or not. When popular technology vendors fail to communicate new security issues, they are issuing an invitation to attackers while choosing to keep that same information from defenders.
About VulnCheck
The VulnCheck research team is always on the lookout for new vulnerabilities to analyze and curate. For more research like this, see XWiki Under Increased Attack, VulnCheck Research Highlights: November 2025, and ICTBroadcast Command Injection Actively Exploited.
Sign up for the VulnCheck community today to get free access to our VulnCheck KEV, enjoy our comprehensive vulnerability data, and request a trial of our Initial Access Intelligence, IP Intelligence, and [Exploit & Vulnerability Intelligence](https://www.vulncheck.com/product/exploit-intelligence products.