Critical Zero-Day in Fortinet FortiWeb Exposed in the Wild

What happened

Fortinet has confirmed a zero-day vulnerability (CVE-2025-64446) in its FortiWeb web application firewall. The flaw is a path-traversal and authentication-bypass issue that lets unauthenticated attackers execute administrative commands on the device. The patch was quietly released in version 8.0.2 and equivalent updates for earlier branches, even as active exploitation was already underway.

Who is affected

Any organisation running FortiWeb versions prior to the patch is at risk:

• Version 8.0.0-8.0.1

• Version 7.6.0-7.6.4

• Version 7.4.0-7.4.9

• Version 7.2.0-7.2.11

• Version 7.0.0-7.0.11
  The highest risk exists where the management interface is exposed to the internet or insufficiently segmented.

Why CISOs should care

This vulnerability demands immediate attention for the following reasons:

• It grants admin-level access without authentication, undermining strong network and host controls.

• It is actively exploited in the wild, meaning attackers are already leveraging the flaw.

• The patching was done quietly, increasing the risk of organisations being exposed without knowing it.

• For organisations using FortiWeb to protect their web applications, a compromised WAF could mean their frontline defence becomes a gateway for deeper intrusion.

• Regulators and critical-infrastructure agencies (such as those tracking the flaw via the Cybersecurity and Infrastructure Security Agency ‘Known Exploited Vulnerabilities’ list) may expect expedited remediation.

3 practical actions

1. Inventory and version check

   • Locate all FortiWeb instances in your asset inventory and network scan.

   • Verify version numbers and check if their management interface is exposed externally.

   • Flag any device in the vulnerable version range above.

2. Patch or apply immediate mitigations

   • Upgrade to: 8.0.2+ (for 8.0 branch), 7.6.5+ (for 7.6), 7.4.10+ (for 7.4), 7.2.12+ (for 7.2), 7.0.12+ (for 7.0)

   • If you cannot patch immediately: disable HTTP/HTTPS access to the management interface from untrusted networks; restrict access to trusted IPs only.

   • After patching, validate that the update took effect and monitor for new admin accounts or unexpected configuration changes.

3. Enhance monitoring and incident readiness

   • Review logs for signs of exploitation: new admin accounts, unusual POST requests (e.g., to /api/v2.0/cmdb/system/admin?.../cgi-bin/fwbcgi) and suspicious base64 CGIINFO headers.

   • Ensure that management interfaces are isolated behind a tightly controlled network segment and not exposed.

   • Update your incident-response playbook to include scenarios where the WAF itself is compromised and lateral movement is possible.