Article Details

Fortinet finally cops to critical make-me-admin bug under active exploitation. More than a month after PoC made public. Fortinet finally published a security advisory on Friday for a critical FortiWeb path traversal vulnerability under active exploitation – but it appears digital intruders got a month's head start. The bug, now tracked as CVE-2025-64446, allows unauthenticated attackers to execute administrative commands on Fortinet's web application firewall product and fully take over vulnerable devices. It's fully patched in FortiWeb version 8.0.2, but it didn't even have a CVE assigned to it until Friday, when the vendor admitted to having "observed this to be exploited in the wild." Also on Friday, the US Cybersecurity and Infrastructure Agency (CISA) added CVE-2025-64446 to its Known Exploited Vulnerabilities Catalog. A Fortinet spokesperson declined to answer The Register's questions about exploitation, including the scope of the attacks and when they began, and emailed us this statement: We are aware of this vulnerability and activated our PSIRT response and remediation efforts as soon as we learned of this matter, and those efforts remain ongoing. Fortinet diligently balances our commitment to the security of our customers and our culture of responsible transparency. With that goal and principle top of mind, we are communicating directly with affected customers to advise on any necessary recommended actions. We urge our customers to refer to the advisory and follow the guidance provided for CVE FG-IR-25-910. However, it appears a proof-of-concept (PoC) exploit has been making the rounds since early October, and third-party security sleuths have told The Register that exploitation is widespread. "The watchTowr team is seeing active, indiscriminate in-the-wild exploitation of what appears to be a silently patched vulnerability in Fortinet's FortiWeb product," watchTowr CEO and founder Benjamin Harris told us prior to Fortinet's security advisory. "The vulnerability allows attackers to perform actions as a privileged user – with in-the-wild exploitation focusing on adding a new administrator account as a basic persistence mechanism for the attackers," he added. The vulnerability allows attackers to perform actions as a privileged user – with in-the-wild exploitation focusing on adding a new administrator account as a basic persistence mechanism for the attackers WatchTowr successfully reproduced the vulnerability and created a working PoC, along with a Detection Artefact Generator to help defenders identify vulnerable hosts in their IT environments. Despite the fix in version 8.0.2, the attacks remain ongoing, and at least 80,000 FortiWeb web app firewalls are connected to the internet, according to Harris. "Apply patches if you haven't already," he advised. "That said, given the indiscriminate exploitation observed by the watchTowr team and our Attacker Eye sensor network, appliances that remain unpatched are likely already compromised." The battering attempts against Fortinet's web application firewalls date back to October 6, when cyber deception firm Defused published a PoC on social media that one of their FortiWeb Manager honeypots caught. At the time, the bug hadn't been disclosed nor did it have a CVE. According to Rapid7 threat hunters, the PoC doesn't work against the latest FortiWeb version, but it does work against earlier releases, including 8.0.1 released in August. The security shop also spotted an apparent zero-day exploit targeting FortiWeb listed for sale on November 6 on a malware- and exploit-slinging marketplace. "While it is not clear at this time if this is the same exploit as the one described above, the timing is coincidental," the Rapid7 bug hunters said. This story, much like the exploitation of CVE-2025-64446, remains ongoing, and The Register will provide updates as we learn more about the FortiWeb attacks.