On November 14, 2025, the Cybersecurity and Infrastructure Security Agency (CISA) officially added CVE-2025-64446 to its Known Exploited Vulnerabilities (KEV) catalog. This critical vulnerability affects Fortinet FortiWeb web application firewall (WAF) devices and has been actively exploited in the wild for several weeks, posing a severe risk to organizations running vulnerable versions.
What is CVE-2025-64446?
CVE-2025-64446 is a critical relative path traversal and authentication bypass vulnerability in Fortinet FortiWeb versions 8.0.0 through 8.0.1, 7.6.0 through 7.6.4, and several earlier branches. The flaw allows an unauthenticated remote attacker to send crafted HTTP or HTTPS requests to the FortiWeb management interface, bypass protections and execute administrative commands. This includes the ability to create new administrative accounts, allowing persistent unauthorized access and full control over affected systems.
Active Exploitation and Impact
First observed in early October 2025, exploitation campaigns have enabled attackers to add unauthorized administrative users — some named “Testpoint” and “trader” — allowing them to persist on FortiWeb devices undetected. This vulnerability is particularly dangerous due to its ability to execute commands without authentication on devices that protect web applications, potentially exposing sensitive business data and infrastructure.
Fortinet silently patched the vulnerability in FortiWeb 8.0.2 and equivalent versions across other branches after researchers publicly disclosed a working exploit and active attacks were confirmed. Despite the patch release, threat actors continue to target unpatched FortiWeb systems.
CISA KEV Catalog Inclusion and Federal Directive
CISA’s inclusion of CVE-2025-64446 in its KEV catalog emphasizes the vulnerability’s criticality and exploitation status. The agency has mandated that all U.S federal agencies patch vulnerable FortiWeb systems by November 21, 2025. This urgency highlights the potential for widespread impact if remediation is delayed.
Mitigation and Recommendations
- Patch FortiWeb Devices Immediately: Upgrade to FortiWeb version 8.0.2 or above, or the corresponding patched versions for your FortiWeb branch (7.6.5+, 7.4.10+, 7.2.12+, and 7.0.12+).
- Restrict Management Interface Access: Disable HTTP and HTTPS access to FortiWeb management interfaces from the public internet to reduce attack surface exposure.
- Monitor for Suspicious Accounts: Audit administrative user accounts on FortiWeb devices and investigate unrecognized or suspicious users for signs of compromise.
- Conduct Forensic Review: Investigate any signs of exploitation or persistence on affected systems to remediate backdoors or malicious configurations.
Conclusion
CVE-2025-64446 is a high-risk vulnerability actively exploited to compromise Fortinet FortiWeb devices worldwide, leading to unauthorized administrative access and broader security risks. Immediate patching and mitigation are essential to defend your organization’s web application infrastructure. Failure to do so risks data breaches, operational disruption, and compliance repercussions given CISA’s federal patch mandates.
Stay vigilant with asset exposure and ensure your FortiWeb firewalls are up to date to block this critical exploit.
