Attacks involving critical Fortinet FortiWeb bug underway

SecurityWeek reports that vulnerable Fortinet FortiWeb instances impacted by the critical relative path traversal flaw, tracked as CVE-2025-64446, were noted by Fortinet and the Cybersecurity and Infrastructure Security Agency to have been subjected to ongoing attacks, with CISA urging federal agencies to remediate the bug by Nov. 21.

Threat actors could harness the security issue, which affects FortiWeb versions 8.0.0 through 8.0.1. 7.6.0 through 7.6.4, 7.4.0 through 7.4.9, 7.2.0 through 7.2.11, and 7.0.0 through 7.0.11, to facilitate administrative command execution, according to Fortinet, which also recommended the deactivation of internet-exposed FortiWeb interfaces' HTTP/HTTPS as a workaround, as well as immediate configuration and log reviews following the implementation of updated versions.

Both Fortinet and CISA alerts follow separate reports from watchTowr, PwnDefend, and Rapid7 detailing intrusions involving the vulnerability. Analysis by watchTowr researchers revealed the flaw to consist of path traversal and authentication bypass defects that could be leveraged for total FortiWeb compromise.