“`html
Fortinet has released an urgent notification cautioning about a serious flaw in its FortiWeb web application firewall (WAF) solution, which cybercriminals are currently exploiting in the field.
Named CVE-2025-64446, the vulnerability arises from inadequate access control in the GUI element, enabling unauthenticated malicious actors to run administrative commands and potentially gain total command over the compromised systems.
The flaw, categorized as a relative path traversal vulnerability (CWE-23), permits attackers to devise harmful HTTP or HTTPS requests that circumvent authentication.
This could result in the establishment of unauthorized admin accounts, providing full access to the device’s settings and confidential information. Fortinet’s Product Security Incident Response Team (PSIRT) acknowledged the active exploitation and recommended immediate patching to lessen risks.
With a CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), the flaw is designated as “Critical” severity according to the National Vulnerability Database (NVD) standards. It impacts several FortiWeb versions across branches 8.0, 7.6, 7.4, 7.2, and 7.0. Specifically:
- FortiWeb 8.0.0 through 8.0.1
- FortiWeb 7.6.0 through 7.6.4
- FortiWeb 7.4.0 through 7.4.9
- FortiWeb 7.2.0 through 7.2.11
- FortiWeb 7.0.0 through 7.0.11
Users are encouraged to upgrade to the latest patched versions: 8.0.2 or higher, 7.6.5 or higher, 7.4.10 or higher, 7.2.12 or higher, or 7.0.12 or higher, respectively. Detailed CVRF and CSAF documents are accessible on FortiGuard for automated integration.
As a temporary measure, Fortinet suggests disabling HTTP or HTTPS access on interfaces exposed to the internet, aligning with best practices that restrict management access to internal networks only. This significantly reduces exposure but does not completely eliminate the threat.
Post-upgrade, organizations must audit configurations and logs for indications of compromise, such as unexpected admin account additions or alterations. Fortinet highlighted the importance of reviewing access patterns to identify any fading unauthorized activity.
This event underscores the ongoing threats to network security appliances, which serve as prime targets for attackers seeking to infiltrate broader environments.
As WAFs like FortiWeb safeguard web applications from threats, they can also inadvertently create backdoors through their own vulnerabilities. Security professionals recommend prioritizing patches for critical infrastructure, especially due to the flaw’s ease of exploitation, as no privileges or user engagement are necessary.
Fortinet’s notification, released today, highlights the company’s dedication to rapid disclosure. For further information, visit the FortiGuard PSIRT webpage. As exploitation persists, unpatched systems remain exceedingly vulnerable.
“`