Fortinet may have silently patched an exploited zero-day vulnerability more than two weeks before officially disclosing the vulnerability.
CVE-2025-64446 in Fortinet’s FortiWeb web application firewall (WAF) may have been exploited as early as October 6, according to DefusedCyber in a post on X.
Fortinet is believed to have patched the 9.8-rated vulnerability in FortiWeb 8.0.2 in late October, but didn’t publish an advisory disclosing the exploited vulnerability until November 14. CISA added the vulnerability to its Known Exploited Vulnerabilities (KEV) catalog the same day as Fortinet’s disclosure.
Late today, Fortinet disclosed another exploited FortiWeb vulnerability – CVE-2025-58034, a 7.2-rated OS Command Injection vulnerability.
Fortinet Silent Patch Raises Concerns
The delayed notification in the case of CVE-2025-64446 has raised concerns with some in the cybersecurity industry, who say the delay may have put Fortinet customers at a disadvantage.
“Silently patching vulnerabilities is an established bad practice that enables attackers and harms defenders, particularly for devices and systems (including FortiWeb) that have previously been exploited in the wild,” VulnCheck’s Caitlin Condon said in a blog post.
“We already know security by obscurity doesn’t work; adversaries monitor new product releases and are actively reverse engineering patches regardless of whether suppliers tell their customers about fixed vulnerabilities or not,” Condon added. “When popular technology vendors fail to communicate new security issues, they are issuing an invitation to attackers while choosing to keep that same information from defenders.”
The Cyber Express has reached out to Fortinet for comment and will update this article with any response.
CVE-2025-64446 FortiWeb Vulnerability
CVE-2025-64446 is a 9.8-severity relative path traversal vulnerability in Fortinet FortiWeb 8.0.0 through 8.0.1, FortiWeb 7.6.0 through 7.6.4, FortiWeb 7.4.0 through 7.4.9, FortiWeb 7.2.0 through 7.2.11, and FortiWeb 7.0.0 through 7.0.11.
The vulnerability could potentially allow an attacker to execute administrative commands on the system via crafted HTTP or HTTPS requests.
Fortinet recommends disabling HTTP or HTTPS for internet facing interfaces until an upgrade can be performed. “If the HTTP/HTTPS Management interface is internally accessible only as per best practice, the risk is significantly reduced,” Fortinet’s advisory said.
Shadowserver shows several hundred internet-facing FortiWeb management instances, which presumably would be vulnerable until upgraded.
After completing upgrades, Fortinet recommends that FortiWeb customers “review their configuration for and review logs for unexpected modifications, or the addition of unauthorized administrator accounts.”
watchTowr said CVE-2025-64446 appears to comprise two vulnerabilities: a path traversal vulnerability, and an authentication bypass vulnerability.
watchTowr shared one sample request stream that it said was “evidence of a threat actor looking to exploit a vulnerability … that allowed privileged administrative functions to be reached.”
In the example, the threat actor “exploited the vulnerability to add administrative accounts to the target and vulnerable appliance, serving as a weak persistence mechanism.
“To be explicitly clear,” watchTowr added, “this is a complete compromise of the vulnerable appliance.”
