Fortinet finally cops to critical make-me-admin bug under active exploitation

Fortinet finally published a security advisory on Friday for a critical FortiWeb path traversal vulnerability under active exploitation – but it appears digital intruders got a month's head start.

The bug, now tracked as CVE-2025-64446, allows unauthenticated attackers to execute administrative commands on Fortinet's web application firewall product and fully take over vulnerable devices. It's fully patched in FortiWeb version 8.0.2, but it didn't even have a CVE assigned to it until Friday, when the vendor admitted to having "observed this to be exploited in the wild."

Also on Friday, the US Cybersecurity and Infrastructure Agency (CISA) added CVE-2025-64446 to its Known Exploited Vulnerabilities Catalog.

A Fortinet spokesperson declined to answer The Register's questions about exploitation, including the scope of the attacks and when they began, and emailed us this statement:

We are aware of this vulnerability and activated our PSIRT response and remediation ...