Fortinet has confirmed broad, in‑the‑wild exploitation of a critical zero‑day vulnerability in the FortiWeb web application firewall (WAF). Tracked as CVE‑2025‑64446, the flaw enables unauthenticated attackers to perform administrative actions by sending crafted HTTP(S) requests, resulting in a full authentication bypass. A fix shipped in FortiWeb 8.0.2 prior to public disclosure; the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added the issue to its Known Exploited Vulnerabilities (KEV) catalog and mandated expedited remediation.
FortiWeb CVE-2025-64446: timeline and evidence of active exploitation
According to researchers from Defused, the first attacks were observed on 6 October 2025. Adversaries leveraged a URL processing weakness initially mistaken for simple path traversal to create new local administrator accounts on FortiWeb appliances.
A key artifact in these intrusions was a sequence of HTTP POST requests sent to FortiWeb API/CMDB endpoints that, after URL confusion, were routed to sensitive CGI handlers—bypassing normal access controls. While some indicators resembled the 2022 incident CVE‑2022‑40684, Fortinet assigned a distinct identifier for the current bug.
On 28 October 2025, Fortinet released FortiWeb 8.0.2 without technical detail. In the following week, watchTowr Labs demonstrated a working exploit and published an artifact‑detection utility to assist defenders. Rapid7 validated that FortiWeb 8.0.1 and earlier are affected and that public exploits cease to function after upgrading to 8.0.2. On 14 November 2025, Fortinet formally described the issue as a path confusion vulnerability in the FortiWeb GUI and stated it is observing active exploitation in real‑world attacks.
Technical overview: path confusion leading to authentication bypass
Path confusion occurs when a web interface incorrectly normalizes or routes complex URLs (for example, those containing mixed encoding or traversal‑like sequences). In FortiWeb, this logic flaw can redirect requests intended for benign endpoints to privileged handlers, effectively skipping authentication gates.
In practice, a remote attacker can craft requests that the appliance misinterprets as administrative operations—such as creating or modifying local admin accounts or changing system configuration—without knowing valid credentials. The availability of proof‑of‑concept exploits raises the risk of opportunistic mass scanning and rapid compromise.
Why this zero‑day is high impact for perimeter WAFs
FortiWeb appliances often sit at the network perimeter, brokering traffic to business‑critical web applications. A successful authentication bypass on a WAF enables policy tampering, insertion of backdoors, and potential lateral movement into internal systems. The combination of edge exposure, account creation capability, and working exploits materially elevates operational risk.
Affected versions, patch status, and mitigations
Per Rapid7 and Fortinet advisories, the vulnerability impacts FortiWeb 8.0.1 and earlier. Upgrading to FortiWeb 8.0.2 is the primary remediation and blocks known exploit techniques. Organizations unable to upgrade immediately should apply the vendor’s interim mitigations outlined in the official security bulletin.
CISA has added CVE‑2025‑64446 to the KEV catalog and directed U.S. federal agencies to remediate by 21 November 2025, signaling the urgency for all sectors to prioritize patching.
Detection, incident response, and hardening guidance
Review FortiWeb logs for unusual POST requests targeting API/CMDB endpoints that resolve to CGI handlers following complex or encoded URL paths. Investigate new or modified local administrator accounts, unexpected configuration changes, and anomalies in the management GUI access patterns.
Leverage publicly available artifact‑detection tools published by reputable researchers (e.g., watchTowr Labs) to accelerate triage. Tighten control plane exposure by restricting management GUI access to approved IP ranges or VPN, enabling MFA where applicable, and increasing alerting on authentication and configuration events. After patching, rotate credentials and access tokens/keys and validate appliance integrity.
Given confirmed exploitation activity and inclusion in CISA’s KEV, organizations should act decisively: upgrade to 8.0.2 without delay, hunt for indicators of compromise, and implement durable access controls around WAF management interfaces. Rapid, coordinated response will limit attacker dwell time and reduce the likelihood of downstream impacts to application environments.
