Stay ahead of threats with Hoplon Infosec’s expert testing, audits, and threat intelligence.
Hoplon InfoSec Logo

Fortinet vulnerability zero day patch: Hidden 2025 Fix Guide

Fortinet vulnerability zero day patch: Hidden 2025 Fix Guide

Hoplon InfoSec

17 Nov, 2025

Fortinet has quietly fixed a serious zero-day flaw in its FortiWeb web application firewall, which is worrying because it has already been used in the wild. This event shows that even security devices made to protect networks can become prime targets if they are not protected. We'll explain what happened, why it matters, and what companies should do right now in this article.

What exactly happened?

In early October 2025, security researchers noticed something strange: attackers were trying to get into some FortiWeb devices, but they didn't seem to have the right credentials. Rapid7 says that the zero-day let attackers who weren't authenticated get administrator-level access to FortiWeb's management console.

In the end, Fortinet confirmed the problem in a security advisory and called it CVE-2025-64446. The vulnerability has two big problems: a bug that lets you traverse a relative path and a way to get around authentication.

In practice, this means that an attacker could use specially crafted HTTP or HTTPS requests to make new, privileged administrative accounts on a FortiWeb appliance without ever logging in as an administrator.

Fortinet vulnerability zero day patch



The Silent Patch: What Was Fixed

This is where things get really interesting (and scary): Fortinet didn't make the patch for this serious zero-day known right away. Instead, it looks like it quietly fixed the problem in some versions of FortiWeb.

The versions that have been fixed are:
• FortiWeb 8.0: Upgrade to 8.0.2 or higher.
• If you have FortiWeb 7.6, update to 7.6.5 or higher.
• FortiWeb 7.4: Update to 7.4.10 or higher
• FortiWeb 7.2: Update to 7.2.12 or higher
• FortiWeb 7.0: Update to 7.0.12 or higher

Fortinet's own advisory says that "this has been seen being used in the wild." Due to the seriousness of the issue, the U.S. CISA added CVE-2025-64446 to its Known Exploited Vulnerabilities (KEV) list and told federal agencies to fix it right away.

Why This Is Important

1. A WAF is being attacked.
FortiWeb is an example of a web application firewall that should be your first line of defense against threats at the application layer. But in this case, the WAF itself was a way for hackers to get in. It's a huge red flag that attackers could get administrative access to the firewall. Once they're in, they can turn off protections, hide their tracks, or even move to other systems.

2. Silent Fixes Make People Nervous
Fortinet may have made it less likely that attackers would find out about the patch by not telling customers right away, but they also made it harder for defenders to look for signs of compromise or investigate. Because of this lack of openness, responding to incidents is harder.

3. There was exploitation before there was disclosure.
Security teams say that exploitation started weeks before Fortinet made the problem public. This means that a lot of businesses may have already been hacked without even knowing it was a real risk.

4. Exposed management interfaces are very risky.
You are in a hazardous situation if you have FortiWeb's management interface open to the internet. Attackers don't need to have valid credentials. They only need to send that request, and they could be making admin accounts.

Fortinet vulnerability zero day patch


What You Should Do Right Now

Because this Fortinet vulnerability zero-day patch is so important, here are some specific things that businesses should do right away:

1. Update FortiWeb.
As soon as you can, upgrade to the patched versions (like 8.0.2, 7.6.5, etc.). Don't wait.
2. Limit Access
If you can't patch right away, turn off HTTP/HTTPS on the management interface that faces the internet or only let trusted IPs access it.
3. Check for accounts that look suspicious.
Look for any new administrator accounts, especially ones you don't know about. Check for changes to the settings, logins that you didn't expect, or any other strange behavior.
4. Look for signs of compromise (IoCs).
Security teams should look into whether there was any previous abuse. Look for signs of unauthorized admin creation using detection tools, logs, and threat intelligence.
5. Make patch management better.
This is a strong reminder that you shouldn't forget about security devices like firewalls and WAFs when you patch. Give them as much importance as you do servers or endpoints.

In a broader sense, why are these kinds of patches important?

Fortinet has had to deal with serious zero-day risks before. For example, in early 2025, people were using a serious bypass vulnerability (CVE-2024-55591) in FortiOS and FortiProxy products. In that case, too, companies were told to act quickly, but reports say that thousands of management interfaces were still open.

This is a lesson for security teams: even tools that are supposed to keep you safe can be used against you if they aren't properly secured and watched.

Fortinet vulnerability zero day patch


Last Thoughts

The Fortinet vulnerability zero-day patch for FortiWeb (CVE-2025-64446) is a clear sign that no device is safe, not even your WAF. Attackers took advantage of a flaw in the logic, made admin accounts, and may have given themselves long-term access. Fortinet's choice to patch without telling anyone may have kept threat actors from knowing about it, but it also made it harder for defenders to respond properly.

If you use FortiWeb, this is a very serious warning. Patch right away. Check your devices. Make access controls stronger. And most importantly, think about how you treat your security infrastructure as part of your patch management plan.

Questions that are often asked (FAQ)

What is CVE-2025-64446?

It is the name of the FortiWeb vulnerability that lets attackers who aren't logged in create admin-level accounts by combining a relative path traversal flaw with an authentication bypass.

Q2: What versions of FortiWeb are affected?

FortiWeb versions 8.0.0–8.0.1, 7.6.0–7.6.4, 7.4.0–7.4.9, 7.2.0–7.2.11, and 7.0.0–7.0.11 are all affected.

Q3: What should I do if I can't patch right now?
If the FortiWeb management interface is open to the internet, turn off HTTP and HTTPS. Limit access to IP addresses that you trust. Also, check the logs for signs of illegal creation of admin users.

Q4: Have real attacks used this zero-day?
Yes. Fortinet has confirmed that "observed" exploitation is happening in the wild. The U.S. CISA also put this security hole in its list of Known Exploited Vulnerabilities.

You can also read these important cybersecurity news articles on our website.

·       Apple Update,

·       Windows Problem,

·       Chrome Warning,

·       Chrome Problem,

·       Synology Issue,

·       Windows Fix,

Share this :

Latest News