Fortinet finally cops to critical make-me-admin bug under active exploitation
(2025/11/14)
- Reference: 1763152784
- News link: https://www.theregister.co.uk/2025/11/14/fortinet_active_exploit_cve_2025_64446/
- Source link:
Fortinet finally published a security advisory on Friday for a critical FortiWeb path traversal vulnerability under active exploitation – but it appears digital intruders got a month's head start.
The bug, now tracked as [1]CVE-2025-64446 , allows unauthenticated attackers to execute administrative commands on Fortinet's web application firewall product and fully take over vulnerable devices. It's fully patched in FortiWeb version 8.0.2, but it didn't even have a CVE assigned to it until Friday, when the vendor [2]admitted to having "observed this to be exploited in the wild."
Also on Friday, the US Cybersecurity and Infrastructure Agency (CISA) [3]added CVE-2025-64446 to its Known Exploited Vulnerabilities Catalog.
[4]
A Fortinet spokesperson declined to answer The Register 's questions about exploitation, including the scope of the attacks and when they began, and emailed us this statement:
We are aware of this vulnerability and activated our PSIRT response and remediation efforts as soon as we learned of this matter, and those efforts remain ongoing. Fortinet diligently balances our commitment to the security of our customers and our culture of responsible transparency. With that goal and principle top of mind, we are communicating directly with affected customers to advise on any necessary recommended actions. We urge our customers to refer to the advisory and follow the guidance provided for [5]CVE FG-IR-25-910 .
However, it appears a proof-of-concept (PoC) exploit has been making the rounds since early October, and third-party security sleuths have told The Register that exploitation is widespread.
"The watchTowr team is seeing active, indiscriminate in-the-wild exploitation of what appears to be a silently patched vulnerability in Fortinet's FortiWeb product," watchTowr CEO and founder Benjamin Harris told us prior to Fortinet's security advisory.
[6]
[7]
"The vulnerability allows attackers to perform actions as a privileged user – with in-the-wild exploitation focusing on adding a new administrator account as a basic persistence mechanism for the attackers," he added.
The vulnerability allows attackers to perform actions as a privileged user – with in-the-wild exploitation focusing on adding a new administrator account as a basic persistence mechanism for the attackers
WatchTowr [8]successfully reproduced the vulnerability and created a working PoC, along with a [9]Detection Artefact Generator to help defenders identify vulnerable hosts in their IT environments.
Despite the fix in version 8.0.2, the attacks remain ongoing, and at least 80,000 FortiWeb web app firewalls are connected to the internet, according to Harris.
"Apply patches if you haven't already," he advised. "That said, given the indiscriminate exploitation observed by the watchTowr team and our Attacker Eye sensor network, appliances that remain unpatched are likely already compromised."
[10]
The battering attempts against Fortinet's web application firewalls date back to October 6, when cyber deception firm Defused [11]published a PoC on social media that one of their FortiWeb Manager honeypots caught. At the time, the bug hadn't been disclosed nor did it have a CVE.
According to Rapid7 threat hunters, the PoC doesn't work against the latest FortiWeb version, but it does work against earlier releases, including 8.0.1 [12]released in August.
[13]Fortinet discloses critical bug with working exploit code amid surge in brute-force attempts
[14]Old Fortinet flaws under attack with new method its patch didn't prevent
[15]New kids on the ransomware block channel Lockbit to raid Fortinet firewalls
[16]Firewalls and VPNs are so complex now, they can actually make you less secure
The security shop also spotted an apparent zero-day exploit targeting FortiWeb listed for sale on November 6 on a malware- and exploit-slinging marketplace. "While it is not clear at this time if this is the same exploit as the one described above, the timing is coincidental," the Rapid7 bug hunters [17]said .
"We're aware of exploitation going back to at least early October, though it may have begun earlier, and we believe that exploitation attempts are actively ongoing," Rapid7 security researcher Ryan Emmons told The Register . "It's unclear whether the responsible threat actors were aware of this vulnerability prior to the release of the most recent FortiWeb software update, 8.0.2, which patched the vulnerability."
Emmons described the fix as "a coincidental one that inadvertently remediated the vulnerability," adding that the attackers may have learned about the bug by analyzing the October software release.
[18]
"This wouldn't be surprising, as many threat actors closely monitor changes in popular software to spot newly-introduced flaws and fresh bug fixes," he said. "Alternatively, perhaps the fix was an intentional silent patch by Fortinet for a known vulnerability that attackers had already discovered and weaponized; however, it's unclear why Fortinet wouldn't have warned their customer base when the patch went out if this were the case."
This story, much like the exploitation of CVE-2025-64446, remains ongoing, and The Register will provide updates as we learn more about the FortiWeb attacks. ®
Editor's note: This story was amended post-publication with comment from Ryan Emmons.
Get our [19]Tech Resources
[1] https://nvd.nist.gov/vuln/detail/CVE-2025-64446
[2] https://fortiguard.fortinet.com/psirt/FG-IR-25-910
[3] https://www.cisa.gov/news-events/alerts/2025/11/14/cisa-adds-one-known-exploited-vulnerability-catalog
[4] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/patches&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2aRe0hj1V_92EvQB8faC3kgAAAYg&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0
[5] https://fortiguard.fortinet.com/psirt/FG-IR-25-910
[6] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/patches&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aRe0hj1V_92EvQB8faC3kgAAAYg&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[7] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/patches&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aRe0hj1V_92EvQB8faC3kgAAAYg&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[8] https://x.com/watchtowrcyber/status/1989017336632996337?s=20
[9] https://labs.watchtowr.com/when-the-impersonation-function-gets-used-to-impersonate-users-fortinet-fortiweb-auth-bypass/
[10] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/patches&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aRe0hj1V_92EvQB8faC3kgAAAYg&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[11] https://x.com/defusedcyber/status/1975242250373517373
[12] https://fortinetweb.s3.amazonaws.com/docs.fortinet.com/v2/attachments/88382abd-82db-11f0-9bfd-6af4c3636dc7/fortiweb-v8.0.1-release-notes.pdf
[13] https://www.theregister.com/2025/08/13/fortinet_discloses_critical_bug/
[14] https://www.theregister.com/2025/04/14/security_in_brief/
[15] https://www.theregister.com/2025/03/14/ransomware_gang_lockbit_ties/
[16] https://www.theregister.com/2025/10/28/cisco_citrix_vpn_ransomware/
[17] https://www.rapid7.com/blog/post/etr-critical-vulnerability-in-fortinet-fortiweb-exploited-in-the-wild/
[18] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/patches&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aRe0hj1V_92EvQB8faC3kgAAAYg&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[19] https://whitepapers.theregister.com/
The bug, now tracked as [1]CVE-2025-64446 , allows unauthenticated attackers to execute administrative commands on Fortinet's web application firewall product and fully take over vulnerable devices. It's fully patched in FortiWeb version 8.0.2, but it didn't even have a CVE assigned to it until Friday, when the vendor [2]admitted to having "observed this to be exploited in the wild."
Also on Friday, the US Cybersecurity and Infrastructure Agency (CISA) [3]added CVE-2025-64446 to its Known Exploited Vulnerabilities Catalog.
[4]
A Fortinet spokesperson declined to answer The Register 's questions about exploitation, including the scope of the attacks and when they began, and emailed us this statement:
We are aware of this vulnerability and activated our PSIRT response and remediation efforts as soon as we learned of this matter, and those efforts remain ongoing. Fortinet diligently balances our commitment to the security of our customers and our culture of responsible transparency. With that goal and principle top of mind, we are communicating directly with affected customers to advise on any necessary recommended actions. We urge our customers to refer to the advisory and follow the guidance provided for [5]CVE FG-IR-25-910 .
However, it appears a proof-of-concept (PoC) exploit has been making the rounds since early October, and third-party security sleuths have told The Register that exploitation is widespread.
"The watchTowr team is seeing active, indiscriminate in-the-wild exploitation of what appears to be a silently patched vulnerability in Fortinet's FortiWeb product," watchTowr CEO and founder Benjamin Harris told us prior to Fortinet's security advisory.
[6]
[7]
"The vulnerability allows attackers to perform actions as a privileged user – with in-the-wild exploitation focusing on adding a new administrator account as a basic persistence mechanism for the attackers," he added.
The vulnerability allows attackers to perform actions as a privileged user – with in-the-wild exploitation focusing on adding a new administrator account as a basic persistence mechanism for the attackers
WatchTowr [8]successfully reproduced the vulnerability and created a working PoC, along with a [9]Detection Artefact Generator to help defenders identify vulnerable hosts in their IT environments.
Despite the fix in version 8.0.2, the attacks remain ongoing, and at least 80,000 FortiWeb web app firewalls are connected to the internet, according to Harris.
"Apply patches if you haven't already," he advised. "That said, given the indiscriminate exploitation observed by the watchTowr team and our Attacker Eye sensor network, appliances that remain unpatched are likely already compromised."
[10]
The battering attempts against Fortinet's web application firewalls date back to October 6, when cyber deception firm Defused [11]published a PoC on social media that one of their FortiWeb Manager honeypots caught. At the time, the bug hadn't been disclosed nor did it have a CVE.
According to Rapid7 threat hunters, the PoC doesn't work against the latest FortiWeb version, but it does work against earlier releases, including 8.0.1 [12]released in August.
[13]Fortinet discloses critical bug with working exploit code amid surge in brute-force attempts
[14]Old Fortinet flaws under attack with new method its patch didn't prevent
[15]New kids on the ransomware block channel Lockbit to raid Fortinet firewalls
[16]Firewalls and VPNs are so complex now, they can actually make you less secure
The security shop also spotted an apparent zero-day exploit targeting FortiWeb listed for sale on November 6 on a malware- and exploit-slinging marketplace. "While it is not clear at this time if this is the same exploit as the one described above, the timing is coincidental," the Rapid7 bug hunters [17]said .
"We're aware of exploitation going back to at least early October, though it may have begun earlier, and we believe that exploitation attempts are actively ongoing," Rapid7 security researcher Ryan Emmons told The Register . "It's unclear whether the responsible threat actors were aware of this vulnerability prior to the release of the most recent FortiWeb software update, 8.0.2, which patched the vulnerability."
Emmons described the fix as "a coincidental one that inadvertently remediated the vulnerability," adding that the attackers may have learned about the bug by analyzing the October software release.
[18]
"This wouldn't be surprising, as many threat actors closely monitor changes in popular software to spot newly-introduced flaws and fresh bug fixes," he said. "Alternatively, perhaps the fix was an intentional silent patch by Fortinet for a known vulnerability that attackers had already discovered and weaponized; however, it's unclear why Fortinet wouldn't have warned their customer base when the patch went out if this were the case."
This story, much like the exploitation of CVE-2025-64446, remains ongoing, and The Register will provide updates as we learn more about the FortiWeb attacks. ®
Editor's note: This story was amended post-publication with comment from Ryan Emmons.
Get our [19]Tech Resources
[1] https://nvd.nist.gov/vuln/detail/CVE-2025-64446
[2] https://fortiguard.fortinet.com/psirt/FG-IR-25-910
[3] https://www.cisa.gov/news-events/alerts/2025/11/14/cisa-adds-one-known-exploited-vulnerability-catalog
[4] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/patches&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2aRe0hj1V_92EvQB8faC3kgAAAYg&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0
[5] https://fortiguard.fortinet.com/psirt/FG-IR-25-910
[6] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/patches&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aRe0hj1V_92EvQB8faC3kgAAAYg&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[7] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/patches&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aRe0hj1V_92EvQB8faC3kgAAAYg&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[8] https://x.com/watchtowrcyber/status/1989017336632996337?s=20
[9] https://labs.watchtowr.com/when-the-impersonation-function-gets-used-to-impersonate-users-fortinet-fortiweb-auth-bypass/
[10] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/patches&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aRe0hj1V_92EvQB8faC3kgAAAYg&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[11] https://x.com/defusedcyber/status/1975242250373517373
[12] https://fortinetweb.s3.amazonaws.com/docs.fortinet.com/v2/attachments/88382abd-82db-11f0-9bfd-6af4c3636dc7/fortiweb-v8.0.1-release-notes.pdf
[13] https://www.theregister.com/2025/08/13/fortinet_discloses_critical_bug/
[14] https://www.theregister.com/2025/04/14/security_in_brief/
[15] https://www.theregister.com/2025/03/14/ransomware_gang_lockbit_ties/
[16] https://www.theregister.com/2025/10/28/cisco_citrix_vpn_ransomware/
[17] https://www.rapid7.com/blog/post/etr-critical-vulnerability-in-fortinet-fortiweb-exploited-in-the-wild/
[18] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/patches&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aRe0hj1V_92EvQB8faC3kgAAAYg&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[19] https://whitepapers.theregister.com/
Re: looking for a reason?
VoiceOfTruth
Nobody should trust any American equipment, hosting, etc.
looking for a reason?
Isn't the reason that the US' TLAs decided that they didn't want it fixed yet?