A authentication bypass vulnerability in Fortinet Fortiweb firewalls is being exploited in the wild in “widespread and ongoing” attacks, says cybersecurity firm watchTowr. The vulnerability appears to have been quietly patched in the FortiWeb 8.0.2 release, without a CVE being assigned.

UPDATED: CVE-2025-64446 (CVSS 9.1) is assigned. Security researchers say ther is evidence of attacker-created local admin accounts on compromised boxes going back to July 2025. (Exploitation gives full admin account takeover.) Defused Cyber says it has seen over 23 variants of the exploit deployed against its honeypot.

Fortinet said: "A relative path traversal vulnerability [CWE-23] in FortiWeb may allow an unauthenticated attacker to execute administrative commands on the system via crafted HTTP or HTTPS requests."

Versions 7.0 through to 8.0.1 are affected.

"Disable HTTP or HTTPS for internet facing interfaces. Fortinet recommends taking this action until an upgrade can be performed. If the HTTP/HTTPS Management interface is internally accessible only as per best practice, the risk is significantly reduced." - Fortinet

Join peers following The Stack on LinkedIn

UPDATED: watchTowr has a breakdown here.

Loyal Fortinet users like to say that a focus on the firm’s 20 known-exploited vulnerabilities (Palo Alto Networks: 19; Ivanti: 30; Cisco: 82) is unfair and that typical basic best-practice like not putting management planes anywhere near the public internet avoids most security vulnerability pain. 

Despite this, watchTowr suggests there are some 80,000 FortiWeb WAFs in total on the public internet: “Given the indiscriminate exploitation observed by the watchTowr team… appliances that remain unpatched are likely already compromised,” it said. 

The link has been copied!