Executive Summary

On October 28, 2025, Fortinet released a security patch for a critical zero-day vulnerability, CVE-2025-64446, in its FortiWeb web application firewall (WAF) product line. The vulnerability, a path traversal flaw with a CVSS score of 9.8, was being actively exploited in the wild, allowing unauthenticated remote attackers to gain full administrative control by creating a new administrator account. Despite the active exploitation, the patch was released silently, without an accompanying security advisory, delaying public awareness. The CISA later added the vulnerability to its Known Exploited Vulnerabilities (KEV) catalog on November 14, 2025, confirming the ongoing threat and mandating that federal agencies patch it. All organizations using affected FortiWeb appliances are urged to upgrade immediately and hunt for signs of compromise.

Vulnerability Details

• CVE-2025-64446: Path Traversal (CVSS 9.8 - Critical)
• Description: This vulnerability allows an unauthenticated, remote attacker to send a specially crafted HTTP or HTTPS request to a vulnerable FortiWeb device. The request exploits a path traversal weakness to trigger the execution of unauthorized code, which in turn allows the attacker to create a new administrative user account.
• Impact: Successful exploitation grants the attacker complete control over the FortiWeb appliance. This allows them to alter security policies, bypass protections for web applications, access sensitive traffic, and use the compromised device as a pivot point to attack the internal network.

Affected Products

• FortiWeb versions prior to 8.0.2, 7.6.5, 7.4.10, 7.2.12, and 7.0.12 are affected.

Exploitation Status

The vulnerability was a zero-day, meaning it was actively exploited by threat actors before a patch was available. Attacks have been observed since at least early October 2025, with attackers originating from the US, Europe, and Asia. The addition to the CISA KEV catalog serves as definitive proof of active, real-world exploitation and elevates the urgency for patching to the highest level.

Impact Assessment

A compromised WAF represents a catastrophic failure of an organization's perimeter security.

• Bypass of Web Security: An attacker can disable all WAF rules, leaving backend web applications exposed to attacks like SQL injection, cross-site scripting, and others.
• Data Interception: The attacker could potentially decrypt and inspect sensitive HTTPS traffic passing through the WAF, including user credentials, session cookies, and personal data.
• Network Pivot: The compromised FortiWeb appliance provides a trusted, strategic position on the network edge from which to launch further attacks against internal systems.
• Loss of Trust: The compromise of a core security device undermines the integrity of the entire security architecture.

Detection Methods

D3FEND Technique: The primary indicator of compromise is an unauthorized account. Detection relies on D3-LAM - Local Account Monitoring and reviewing web server logs for exploit attempts.

1. Audit Administrator Accounts: The most critical detection step is to immediately inspect the FortiWeb device for any unauthorized or recently created administrator accounts. Compare the list of accounts against a known-good baseline.
2. Analyze System Logs: Review FortiWeb system and event logs for any unusual activity, particularly the creation of new user accounts (event_id=4101 for user creation). Look for logs generated by unknown IP addresses.
3. Review Web Logs: Examine HTTP/HTTPS logs for suspicious requests containing path traversal sequences (e.g., ..%2f, ..\) or other crafted patterns aimed at the device's management interface.
4. Vulnerability Scanning: Use vulnerability scanners to identify any FortiWeb appliances in your environment that have not been upgraded to a patched version.

Remediation Steps

D3FEND Countermeasure: The only effective remediation is to patch the system via D3-SU - Software Update. Isolating the management interface is a critical hardening step.

1. Upgrade Immediately: The highest priority is to upgrade all vulnerable FortiWeb appliances to a patched firmware version (8.0.2, 7.6.5, 7.4.10, 7.2.12, or 7.0.12 and later).
2. Hunt for Compromise: After patching, perform the detection steps outlined above. If any unauthorized accounts are found, assume the device and potentially the network are compromised. Remove the malicious accounts, preserve logs for forensic analysis, and initiate your incident response plan.
3. Restrict Management Interface Access: As a best practice, the FortiWeb management interface should never be exposed to the internet. Restrict access to a secure, internal management network or specific trusted IP addresses. This single step would have mitigated the risk of remote exploitation for this vulnerability.