Fortinet Discloses Critical FortiWeb Zero-Day After Weeks of Active Exploitation

Fortinet acknowledged a critical authentication bypass vulnerability in FortiWeb firewalls only after security researchers published proof-of-concept exploits—nearly six weeks after attacks began and three weeks after the company quietly patched the flaw.

Timeline of Disclosure Failure

The vulnerability's exploitation timeline reveals a problematic gap between patch availability and public disclosure:

October 6, 2025 - Defused researchers detected the first attacks exploiting a zero-day path traversal vulnerability in FortiWeb. Threat actors were creating unauthorized administrator accounts by sending specially crafted HTTP POST requests to the endpoint /api/v2.0/cmdb/system/admin%3f/../../../../../cgi-bin/fwbcgi. Researchers initially suspected a variant of the 2022 vulnerability CVE-2022-40684.

October 28, 2025 - Fortinet released FortiWeb 8.0.2 containing a patch for the vulnerability. The company provided no advisory, public notice, or vulnerability details.

Early November 2025 - watchTowr Labs published a working exploit and released the FortiWeb Authentication Bypass Artifact Generator tool to help administrators identify compromised devices. Rapid7 analysts confirmed the vulnerability affects FortiWeb 8.0.1 and earlier versions, and verified that public exploits fail after updating to version 8.0.2.

November 14, 2025 - Fortinet officially disclosed the vulnerability, assigning it CVE-2025-64446 and classifying it as a path confusion flaw in the FortiWeb GUI component.

"Fortinet is observing active exploitation of this vulnerability in real-world attacks," the company's belated security advisory stated.

The Vulnerability

CVE-2025-64446 allows unauthenticated attackers to execute administrative commands on vulnerable FortiWeb systems through specially crafted HTTP or HTTPS requests. No credentials required—just a properly formatted request grants full administrative access.

The flaw affects multiple FortiWeb versions:

• FortiWeb 8.0.0 – 8.0.1 (patched in 8.0.2 or higher)
• FortiWeb 7.6.0 – 7.6.4 (patched in 7.6.5 or higher)
• FortiWeb 7.4.0 – 7.4.9 (patched in 7.4.10 or higher)
• FortiWeb 7.2.0 – 7.2.11 (patched in 7.2.12 or higher)
• FortiWeb 7.0.0 – 7.0.11 (patched in 7.0.12 or higher)

How Attackers Exploit It

The attack mechanism involves path traversal through the FortiWeb API to reach administrative functions. By manipulating the URL path, attackers bypass authentication checks and create new administrator accounts with full system privileges.

This access allows threat actors to:

• Modify firewall configurations
• Extract sensitive data
• Deploy additional malware
• Establish persistent access
• Pivot to other network segments

What Organizations Must Do

Fortinet recommends immediate action for organizations unable to patch immediately:

Critical mitigations:

• Disable HTTP and HTTPS on all management interfaces accessible from the internet
• Restrict administrative panel access to trusted networks only
• Audit configurations and logs for unauthorized administrator accounts
• Review system changes for suspicious modifications

Verification steps:

• Check for newly created administrative accounts
• Review access logs for requests to /api/v2.0/cmdb/system/admin endpoints
• Examine configuration change history
• Monitor for unusual administrative activity

Regulatory Response

The US Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2025-64446 to its Known Exploited Vulnerabilities (KEV) catalog and mandated federal agencies remediate the issue by November 21, 2025.

The Disclosure Problem

Fortinet's handling of this vulnerability follows a troubling pattern in the security industry: silently patching actively exploited flaws without warning customers who remain vulnerable.

For three weeks, organizations running unpatched FortiWeb systems had no way to know they faced active attacks. Administrators monitoring Fortinet security advisories saw nothing. Only after independent researchers published exploits did Fortinet acknowledge the problem.

This delay between patch availability and disclosure leaves a dangerous window where:

• Attackers know the vulnerability exists (they're exploiting it)
• Security researchers can reverse-engineer patches to find the flaw
• Customers remain unaware their systems are under active attack
• Organizations cannot prioritize patching without threat context

FortiWeb devices sit at network perimeters, protecting web applications from attacks. When the protection mechanism itself becomes compromised—and the vendor doesn't immediately warn customers—the security impact multiplies across every application behind those firewalls.

Organizations using FortiWeb should assume compromise until they can verify otherwise. The vulnerability requires no authentication and creates administrator accounts—exactly the access attackers need to operate undetected.

Patch immediately. Then audit for unauthorized access. The attacks started six weeks ago.