Threat actors are exploiting a zero-day vulnerability, CVE-2025-64446, that has been discovered in Fortinet’s FortiWeb web application firewall product. Successful exploitation of this new vulnerability allows an unauthenticated attacker to execute administrative commands on the system via crafted HTTP or HTTPS requests.
FortiGuard mentioned in the advisory that they are aware of the active exploitation of the vulnerability.
CISA acknowledged the active exploitation of the vulnerability by adding it to its Known Exploited Vulnerabilities Catalog. CISA urged users to patch the vulnerability before November 21, 2025.
FortiWeb is a web application firewall (WAF) designed to protect web applications and APIs from various attacks, including those targeting known vulnerabilities and zero-day exploits. It utilizes machine learning and other techniques to detect and block malicious traffic, enabling organizations to maintain compliance with regulations.
Initial exploitation attempts were detected by Defused, a threat intelligence organization, in early October when threat attackers targeted their honeypot system. Security researchers from watchTowr have validated proof-of-concept exploits. WatchTowr also published a script to detect if a specific FortiWeb is vulnerable to this authentication bypass flaw.
Affected and Patched Versions
| Version | Affected | Patched |
| FortiWeb 8.0 | 8.0.0 through 8.0.1 | Upgrade to 8.0.2 or above |
| FortiWeb 7.6 | 7.6.0 through 7.6.4 | Upgrade to 7.6.5 or above |
| FortiWeb 7.4 | 7.4.0 through 7.4.9 | Upgrade to 7.4.10 or above |
| FortiWeb 7.2 | 7.2.0 through 7.2.11 | Upgrade to 7.2.12 or above |
| FortiWeb 7.0 | 7.0.0 through 7.0.11 | Upgrade to 7.0.12 or above |
Fortinet recommends that customers review their configuration and review logs for unexpected modifications or the addition of unauthorized administrator accounts.
Please refer to the FortiGuard Security Advisory (FG-IR-25-910) for more information.
Workaround
Disable HTTP or HTTPS for internet-facing interfaces. Fortinet recommends taking this action until an upgrade can be performed. If the HTTP/HTTPS Management interface is accessible internally only, as per best practice, the risk is significantly reduced.
Qualys Detection
Qualys customers can scan their devices with QIDs 733406 and 733407 to detect vulnerable assets.
Please continue to follow Qualys Threat Protection for more coverage of the latest vulnerabilities.
Reference
https://www.fortiguard.com/psirt/FG-IR-25-910
https://x.com/DefusedCyber/status/1975242250373517373
https://x.com/watchtowrcyber/status/1989017336632996337
https://github.com/watchtowrlabs/watchTowr-vs-Fortiweb-AuthBypass?tab=readme-ov-file