Ethical Hacking News
Fortinet has confirmed that a zero-day vulnerability in its FortiWeb web application firewall is being actively exploited in the wild. The patch has been released for version 8.0.2, and admins are advised to upgrade immediately to mitigate the risk of exploitation. This vulnerability highlights the ongoing importance of staying ahead of emerging threats and implementing robust cybersecurity measures.
FortiWeb's GUI component contains a path confusion vulnerability (CVE-2025-64446) that allows unauthenticated attackers to execute administrative commands via crafted HTTP or HTTPS requests. The vulnerability is considered critical and has been actively exploited in the wild, with attackers creating new administrative users on Internet-exposed devices. Fortinet has issued a patch for version 8.0.2, which addresses the CVE-2025-64446 vulnerability and brings relief to the cybersecurity community. Cybersecurity firms recommend disabling HTTP or HTTPS for all internet-facing management interfaces and restricting access to trusted networks until a patch can be applied.
Fortinet has confirmed that it has silently patched a critical zero-day vulnerability in its FortiWeb web application firewall, which is now "massively exploited in the wild." The announcement follows reports of unauthenticated attackers exploiting an unknown FortiWeb path traversal flaw to create new administrative users on Internet-exposed devices.
The attacks were first identified by threat intel firm Defused on October 6, which published a proof-of-concept exploit and reported that an "unknown Fortinet exploit (possibly a CVE-2022-40684 variant)" is being used to send HTTP POST requests to the /api/v2.0/cmdb/system/admin%3f/../../../../../cgi-bin/fwbcgi Fortinet endpoint to create local admin-level accounts.
On Thursday, watchTowr Labs security researchers also demoed an exploit and released a tool called "FortiWeb Authentication Bypass Artifact Generator" to help defenders identify vulnerable devices. Cybersecurity firm Rapid7 added that the flaw affects FortiWeb versions 8.0.1 and earlier, as it confirmed that the publicly available proof-of-concept exploit no longer works after updating to version 8.0.2.
Today, Fortinet disclosed that attackers are actively exploiting a path confusion vulnerability (now tracked as CVE-2025-64446) in FortiWeb's GUI component, which allows unauthenticated attackers to execute administrative commands on unpatched systems via crafted HTTP or HTTPS requests. "Fortinet has observed this to be exploited in the wild," the company noted in a Friday security advisory.
In response to the confirmed zero-day exploit, Fortinet has issued a patch for its FortiWeb web application firewall, releasing version 8.0.2 on October 28. This update patches the CVE-2025-64446 vulnerability, which is now considered critical and being actively exploited in the wild. According to Fortinet's advisory, customers with unpatched systems should upgrade to version 8.0.2 or above.
To mitigate the risk of exploitation until a patch can be applied, admins who cannot immediately upgrade to FortiWeb 8.0.2 are advised to disable HTTP or HTTPS for all internet-facing management interfaces and ensure that access is restricted to trusted networks. Additionally, customers should check their configuration and review logs for new unauthorized administrator accounts and other unexpected modifications.
Fortinet's patch has brought some relief to the cybersecurity community, but it also highlights the importance of regular software updates and monitoring for known vulnerabilities. In recent months, Fortinet has patched several critical security flaws in its products, including a command injection flaw (CVE-2025-25256) in its FortiSIEM security monitoring solution.
The exploitation of this vulnerability is particularly concerning given the widespread use of FortiWeb by organizations around the world. The fact that attackers have successfully exploited this zero-day flaw to create new administrative users on Internet-exposed devices underscores the need for prompt patching and vigilance in monitoring for suspicious activity.
The 2026 CISO Budget Benchmark report from BleepingComputer highlights the importance of staying ahead of emerging threats and investing in robust cybersecurity measures. In light of this recent vulnerability, it is essential for organizations to prioritize software updates, implement robust security configurations, and regularly monitor their systems for signs of exploitation.
The Fortinet zero-day exploit serves as a reminder that even seemingly secure products can be vulnerable to attack. It also underscores the importance of vigilance in monitoring for known vulnerabilities and implementing prompt patching measures to minimize the risk of exploitation.
In summary, the confirmed exploitation of a critical zero-day vulnerability in FortiWeb highlights the need for organizations to prioritize software updates, implement robust security configurations, and regularly monitor their systems for signs of exploitation. With the release of version 8.0.2, Fortinet has addressed this critical vulnerability, but it also underscores the ongoing importance of staying ahead of emerging threats.
Related Information:
https://www.ethicalhackingnews.com/articles/Fortinet-Confirms-Silent-Patch-for-FortiWeb-Zero-Day-Exploited-in-Attacks-ehn.shtml
https://www.bleepingcomputer.com/news/security/fortinet-confirms-silent-patch-for-fortiweb-zero-day-exploited-in-attacks/
https://nvd.nist.gov/vuln/detail/CVE-2025-64446
https://www.cvedetails.com/cve/CVE-2025-64446/
Published: Fri Nov 14 11:07:03 2025 by llama3.2 3B Q4_K_M
