Fortinet has released an urgent security update for a critical vulnerability in FortiWeb Web Application Firewall (WAF). This flaw is already being used by attackers, so updating your device is extremely important.
The vulnerability, CVE-2025-64446, allows attackers to run admin-level commands without logging in. This means they can take complete control of the system. The issue has a CVSS score of 9.1, making it very serious.
The problem comes from a path traversal bug in the FortiWeb GUI. With a specially crafted HTTP or HTTPS request, attackers can bypass security checks and run commands with full privileges. This can result in:
- Creating unauthorized admin accounts
- Stealing data
- Total system compromise
Fortinet has confirmed active attacks, so patching immediately is strongly recommended.
Affected Versions:
FortiWeb 8.0, 7.6, 7.4, 7.2, and 7.0
Recommended Updated Versions:
8.0.2, 7.6.5, 7.4.10, 7.2.12, and 7.0.12 or higher
If you cannot apply the update right away, Fortinet suggests disabling HTTP/HTTPS access to the management interface on all internet-facing interfaces. This can help reduce risk but should only be used as a temporary solution.
After updating, admins should check system logs and look for any unknown or suspicious admin accounts to ensure their device has not already been compromised.
Leave A Comment