Fortinet Confirms Active Exploitation of Critical FortiWeb Vulnerability

Security firms say the flaw has been actively exploited for weeks, even as Fortinet quietly shipped fixes and CISA added the bug to its KEV catalog.

Fortinet on Friday warned of an exploited FortiWeb vulnerability that allows remote, unauthenticated attackers to gain administrative access to the web application firewall appliances.

Tracked as CVE-2025-64446 (CVSS score of 9.1), the bug is described as a relative path traversal issue that can be exploited via crafted HTTP or HTTPS requests to execute administrative commands on the system.

“Fortinet has observed this to be exploited in the wild,” the company noted in its advisory, without providing additional details on the attack(s).

The flaw impacts FortiWeb versions 8.0.0 through 8.0.1, 7.6.0 through 7.6.4, 7.4.0 through 7.4.9, 7.2.0 through 7.2.11, and 7.0.0 through 7.0.11 ...