Ethical Hacking News
Fortinet has finally acknowledged a critical bug in its web application firewall product that allows unauthenticated attackers to execute administrative commands and fully take over vulnerable devices. As exploitation continues to spread, cybersecurity experts are warning of the importance of applying patches and staying vigilant against emerging threats.
Fortinet has acknowledged a critical bug in its FortiWeb web application firewall product (CVE-2025-64446) that allows unauthenticated attackers to execute administrative commands. The vulnerability has been exploited in the wild since early October and is widespread, with third-party security sleuths reporting exploitation occurring globally. Exploitation focuses on adding a new administrator account as a basic persistence mechanism for attackers. At least 80,000 FortiWeb web app firewalls are connected to the internet, making them vulnerable to attack. Fortinet advises applying patches immediately to prevent exploitation, but warns that unpatched appliances may already be compromised.
Fortinet, a leading provider of cybersecurity solutions, has finally acknowledged a critical bug in its FortiWeb web application firewall product that allows unauthenticated attackers to execute administrative commands and fully take over vulnerable devices. The vulnerability, tracked as CVE-2025-64446, was discovered earlier this year but didn't have a CVE assigned until recently, when Fortinet admitted to having "observed this to be exploited in the wild."
The bug's discovery is significant because it has been found that the PoC exploit has been making the rounds since early October, and third-party security sleuths have told The Register that exploitation is widespread. According to watchTowr CEO and founder Benjamin Harris, the vulnerability allows attackers to perform actions as a privileged user – with in-the-wild exploitation focusing on adding a new administrator account as a basic persistence mechanism for the attackers.
WatchTowr successfully reproduced the vulnerability and created a working PoC, along with a Detection Artefact Generator to help defenders identify vulnerable hosts in their IT environments. Despite the fix in version 8.0.2, the attacks remain ongoing, and at least 80,000 FortiWeb web app firewalls are connected to the internet, according to Harris.
"Apply patches if you haven't already," he advised. "That said, given the indiscriminate exploitation observed by the watchTowr team and our Attacker Eye sensor network, appliances that remain unpatched are likely already compromised."
The battering attempts against Fortinet's web application firewalls date back to October 6, when cyber deception firm Defused published a PoC on social media that one of their FortiWeb Manager honeypots caught. At the time, the bug hadn't been disclosed nor did it have a CVE.
Fortinet discloses critical bug with working exploit code amid surge in brute-force attempts. Old Fortinet flaws under attack with new method its patch didn't prevent. New kids on the ransomware block channel Lockbit to raid Fortinet firewalls. Firewalls and VPNs are so complex now, they can actually make you less secure.
This story remains ongoing, and The Register will provide updates as we learn more about the FortiWeb attacks.
Related Information:
https://www.ethicalhackingnews.com/articles/Fortinets-Critical-Make-Me-Admin-Bug-A-Wake-Up-Call-for-Cybersecurity-Awareness-ehn.shtml
https://go.theregister.com/feed/www.theregister.com/2025/11/14/fortinet_active_exploit_cve_2025_64446/
https://nvd.nist.gov/vuln/detail/CVE-2025-64446
https://www.cvedetails.com/cve/CVE-2025-64446/
Published: Fri Nov 14 14:54:18 2025 by llama3.2 3B Q4_K_M
