Fortinet customers told to update immediately following major security issue - here's what we know

• CVE-2025-64446 allows unauthenticated attackers to run admin commands on FortiWeb WAF systems
• Actively exploited in the wild; affects versions 7.0.0–8.0.1, patched in 8.0.2
• CISA added it to KEV; Fortinet urges immediate patching or disabling internet-facing HTTP/HTTPS interfaces

Fortinet has released a fix for a critical vulnerability in its FortiWeb web application firewall (WAF), and has urged customers to update immediately, as the flaw is being actively exploited in the wild.

The company published a new security advisory, saying it addressed a relative path traversal vulnerability that allows unauthenticated threat actors to execute administrative commands on the system.

The bug is now tracked as CVE-2025-64446 and was given a severity score of 9.8/10, meaning it’s critical and that it should be addressed promptly.

Abusing the zero-day

The bug affects multiple versions of the WAF:

8.0.0 through 8.0.1,

7.6.0 through 7.6.4,

7.4.0 through 7.4.9,

7.2.0 through 7.2.11,

7.0.0 through 7.0.11

It was fixed in version 8.0.2, security researchers confirmed.

The fix should be applied without hesitation, Fortinet added, stating that the bug was “observed to be exploited in the wild.”

Indeed, it is, as multiple security outfits have been warning about this one for weeks. In early October 2025, security researchers from Defused published a Proof-of-Concept (PoC) for an “unknown Fortinet exploit”, followed by a demo exploit published by watchTowr Labs.

Those that cannot apply the fix immediately should disable HTTP or HTTPS for internet-facing interfaces, Fortinet advised. “If the HTTP/HTTPS Management interface is internally accessible only as per best practice, the risk is significantly reduced.” Also, after patching, users should review their configuration for and review logs for unexpected modifications, and to see if any new admin accounts were added.

The bug was also added to CISA’s Known Exploited Vulnerabilities (KEV) catalog, meaning federal agencies have until November 21 to patch or stop using Fortinet’s WAF.

“This type of vulnerability is a frequent attack vector for malicious cyber actors and poses significant risks to the federal enterprise," CISA warned.

Via BleepingComputer

Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!

And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form, and get regular updates from us on WhatsApp too.