Fortinet Silently Patches Critical FortiWeb Zero-Day Under Active Exploitation

In a move that highlights the high-stakes world of cybersecurity, Fortinet has confirmed it quietly addressed a severe zero-day vulnerability in its FortiWeb web application firewall—a tool designed to shield web applications from threats. This flaw, now cataloged as CVE-2025-64446, allows unauthenticated attackers to execute administrative commands via crafted HTTP or HTTPS requests, effectively handing over control of vulnerable systems. The vulnerability has been 'massively exploited in the wild,' according to Fortinet, putting countless enterprise networks at risk.

The trouble began surfacing in early October when threat intelligence firm Defused reported unusual activity: attackers leveraging an unknown path traversal vulnerability in FortiWeb to POST HTTP requests to a specific endpoint, creating new local admin-level accounts. This wasn't just theoretical—Defused even published a proof-of-concept (PoC) exploit, raising alarms for defenders. By mid-October, watchTowr Labs researchers demonstrated a working exploit and released a tool, the 'FortiWeb Authentication Bypass Artifact Generator,' to help identify compromised devices. Rapid7 chimed in, noting the issue affected FortiWeb versions 8.0.1 and earlier, and confirmed that the PoC no longer works post-patch in version 8.0.2.

Fortinet's Friday security advisory finally pulled back the curtain, attributing the attacks to a path confusion vulnerability in the product's GUI component. The company had rolled out the fix in FortiWeb 8.0.2 on October 28—three weeks after the first reports—but chose a silent patch, a common tactic to avoid tipping off attackers. Affected versions span multiple branches, from 7.0 to 8.0, with clear upgrade paths provided:

For those unable to patch immediately, Fortinet recommends disabling HTTP/HTTPS on internet-facing management interfaces and restricting access to trusted networks only. Administrators are also urged to audit configurations and logs for signs of unauthorized admin accounts or other tampering.

Why This Matters for Enterprise Security

FortiWeb is a cornerstone for many organizations' web application security, often deployed to protect sensitive data and services. A breach here doesn't just compromise the firewall; it opens the door to deeper network infiltration, potentially exposing customer data, intellectual property, or critical infrastructure. This incident echoes recent Fortinet troubles, like the August patch for a command injection flaw (CVE-2025-25256) in FortiSIEM, amid reports of brute-force attacks on SSL VPNs. It's a stark reminder that even established vendors face persistent threats, and silent patching—while tactically sound—can leave customers in the dark, scrambling to catch up.

From a developer's perspective, this vulnerability underscores the perils of path traversal and authentication bypass flaws in web-facing components. These aren't novel issues, yet they persist due to the complexity of legacy codebases and the pressure to roll out features quickly. Security teams should prioritize automated scanning for such weaknesses in CI/CD pipelines and consider zero-trust architectures to limit lateral movement post-breach.

As attackers grow bolder, exploiting zero-days with PoCs that spread like wildfire online, the onus falls on enterprises to stay vigilant. Fortinet's advisory, sourced from BleepingComputer, serves as a call to action: patch now, monitor closely, and rethink exposure. In the ever-evolving cat-and-mouse game of cybersecurity, hesitation could be the costliest move.