Stay ahead of threats with Hoplon Infosec’s expert testing, audits, and threat intelligence.
Hoplon InfoSec Logo

FortiWeb Zero-Day Exploited: 5 Critical Risks in 2025

FortiWeb Zero-Day Exploited: 5 Critical Risks in 2025

Hoplon InfoSec

19 Nov, 2025

A Very Important Wake-Up Call: FortiWeb Zero Day Used in the Wild

You have a fast sports car that was made for speed, but one day you find a flaw in its engine that you didn't know about. You'd fix it right away because if someone bad knew how to take advantage of that flaw, the damage could be very bad. That's how cybersecurity teams are responding to a FortiWeb zero-day that threat actors are using to put important web application firewalls (WAFs) in great danger.

Fortinet's FortiWeb, which is a common part of many enterprise security stacks, has a new critical flaw that has come to light. CVE 2025 64446 is the name of the vulnerability that is being actively used in the wild. This is not a risk that could happen. Attackers are already using it to get around authentication and take full control of the system. Let me explain what happened, why it matters, and what you should do.


What is the weakness?

The FortiWeb zero-day exploit, CVE 2025 64446, is a bug in the FortiWeb management interface that lets you move through relative paths. An attacker who is not authenticated can use carefully crafted HTTP or HTTPS requests to move through directory paths and get to internal administrative endpoints. From there, they can run commands at the system level.

That means that someone on the internet could make new administrator accounts, change system settings, and maybe even take over the whole WAF appliance without having to log in. This is a very serious security hole, especially since FortiWeb is supposed to protect your web apps, not let people in.

QuillBot-generated-image-1 (93)


Why This FortiWeb Zero-Day Exploit Is So Risky

1. No credentials are needed.
The attacker doesn't need valid credentials because this is a zero-day exploit that doesn't require authentication. That makes it a lot easier for attackers.

2. A lot of different versions are affected.
The vulnerability affects many different versions of FortiWeb, such as 8.0.0 to 8.0.1, 7.6.0 to 7.6.4, 7.4.0 to 7.4.9, 7.2.0 to 7.2.11, and 7.0.0 to 7.0.11. BleepingComputer
If any of these are part of your infrastructure, you're in the danger zone.

3. Publicly Known Exploits
In early October 2025, researchers from Defused first noticed strange behavior. Then, WatchTowr copied the exploit and posted a script on GitHub. This means that bad people don't have to come up with new ways to do things. People are already sharing tools that can test and take advantage of this weakness.

4. Pressure from rules
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2025-64446 to its list of Known Exploited Vulnerabilities (KEV). That means that government agencies have a very short amount of time to fix the problem, usually within days, or they risk being very exposed.

But wait, there's more: Another problem with FortiWeb.

There is a second problem making news, as if one zero-day wasn't enough: CVE 2025 58034 is a vulnerability that lets attackers run commands on the operating system. Security Vulnerability. This problem needs authentication, unlike the first one. However, an attacker with high-level credentials could send specially crafted HTTP or CLI commands to run any code on the operating system.

The research team at Trend Micro said they saw as many as 2,000 attempts to exploit this command-injection flaw. H2S Media. That's a lot. It's not as easy to exploit (you need a valid login), but the risk is still very real, especially for teams with weak access control or shared credentials.

What Fortinet Did and Why People Are Angry

On October 28, 2025, Fortinet released version 8.0.2, which included a silent patch for CVE 2025 64446. But at first, they didn't say anything publicly about the flaw. Many people criticized this slow or quiet disclosure.

Researchers at CSO Online say that silently patching a FortiWeb zero-day exploited threat hurts defenders because companies might not even know they need to look for or fix an active exploit. It also makes people less trusting: how can security teams decide which patches to make first if vendors don't explain the risk?

QuillBot-generated-image-1 (94)


Why This Isn't Just a Theory in the Real World

Think of FortiWeb as a guardhouse that keeps your web apps safe like a VIP building. This zero-day exploited flaw is like finding an open side door; anyone on the outside could walk right into the security room, take over, and even replace the guards.

This is valuable to an attacker:

• They can make new admin accounts and keep them.

 • They can change security policies or firewall rules.

• They might also change logs or delete evidence, which makes it much harder to find them.
If attackers get that much control, they could do almost anything, like stop traffic, drop bad content, or use the WAF as a base to move sideways.

What You Should Do Right Now, Things to Do Right Away
If you are in charge of FortiWeb security, here is what you need to do right away:

  1. Patch Right Away: Update to FortiWeb 8.0.2 (or higher) or one of the other branches that have fixed versions:
    o 7.6.x → 7.6.5+ o 7.4.x → 7.4.10+ o 7.2.x → 7.2.12+ o 7.0.x → 7.0.12+

  2. Lock Down the Management Interface
    If you can't patch right away, turn off HTTP/HTTPS access on management interfaces that are open to the internet. Instead, use VPNs or restricted IP allowlists.

3. Audit logs for admin accounts that look suspicious
Check your FortiWeb logs for any unexpected new admin accounts or strange changes to the site's settings. You find something, assume it has been compromised, and look into it more.

4. Make access control stronger.
All admin accounts should have strong, unique passwords, the least amount of access they need, and multi-factor authentication (MFA) turned on.

5. Keep an eye on threat intelligence.
Keep an eye on news from Fortinet's PSIRT (Product Security Incident Response Team) and well-known security research companies like Rapid7, watchTowr, and Defused.

6. Split up your network.
Check to see if your WAF management plane is separate. The FortiWeb management interface should only be able to talk to trusted admin workstations.

Why the FortiWeb Zero-Day Exploit Matters Beyond FortiWeb

This story teaches us something bigger about how we protect important infrastructure:

• Zero-days in security tools themselves are a very scary fact of life. Even things we trust can be hacked.
• Silent patches are not safe. When vendors don't say what they've fixed, defenders might not realize how serious a threat is.
• Speed is very important. When a vulnerability like this is being used in the wild, it can be too long to wait days or weeks to fix it.

This incident shows that attackers are always trying to get into the systems that are meant to stop them, and defenders need to respond just as strongly.

QuillBot-generated-image-2 - 2025-11-19T141930


FAQ

Q1: Is this zero-day a threat to all FortiWeb appliances?
Only some versions are affected: 8.0.0–8.0.1, 7.6.0–7.6.4, 7.4.0–7.4.9, 7.2.0–7.2.11, and 7.0.0–7.0.11. Check Fortinet's advisory to make sure your version is either older or newer.

Q2: Do you need a password or to log in to CVE 2025 64446?
No, this is a zero-day attack that doesn't need authentication. Path traversal lets attackers get to administrative functions directly.

Question 3: How bad is CVE 2025 58034?
It is also very dangerous because it has an OS command injection flaw that lets an authenticated attacker (with administrative or high privileges) run harmful OS commands.

Q4: What if I can't patch right away?
If patching is delayed, turn off HTTP and HTTPS access on management interfaces that are open to the internet right away. Look through the logs and see if there are any new admin accounts that look suspicious. threatprotect .qualys.

In the end: A Risky Reminder, Trust, but check.

The FortiWeb zero-day exploited scenario is a strong reminder that even the tools we use to protect ourselves can have big problems. It's not just a bug when a vulnerability lets attackers take control without permission; it's a betrayal of trust.

But that doesn't mean you should give up. Organizations can keep attackers out by acting quickly, keeping their patches clean, and carefully limiting access. This event should make you rethink how you protect your guardians and make your security stronger.

Take this seriously if you run FortiWeb or are in charge of cybersecurity for a company that does. Do something now, patch carefully, and keep an eye on things. The attacker doesn't wait, and you shouldn't either.

For more, please visit our Homepage and follow us on (Twitter) and LinkedIn for more cybersecurity news and updates. Stay connected on YouTube and Instagram as well. At Hoplon Infosec, we’re committed to securing your digital world.

Author: HoplonInfosec, Profile Link: Facebook 

Bio: Security enthusiast with over 10 years in mobile cybersecurity. Connect with me on LinkedIn.

Company: HoplonInfosec,

Company Address: 1415 W 22nd St Tower Floor, Oak Brook, IL 60523, United States

Contact: +1 773-904-3136

About/Privacy: At Hoplon Infosec, we provide expert insights into cybersecurity. Our editorial policy: all articles are written by in-house specialists or thoroughly reviewed by them to ensure accuracy, credibility, and up-to-date information.

Certifications: SO/IEC 42001

Publication date: 19/11/2025

 

Share this :

Latest News