Full Report
The security vendor silently patched a vulnerability, but did not assign the flaw a CVE or publicly disclose its existence until 17 days later. By then, widespread attacks were already underway. The post Fortinet’s delayed alert on actively exploited defect put defenders at a disadvantage appeared first on CyberScoop.
Analysis Summary
# Vulnerability: Fortinet FortiWeb Path Traversal Leading to Command Execution
## CVE Details
- CVE ID: CVE-2025-64446
- CVSS Score: 9.8 (Critical)
- CWE: Path Traversal (Implied based on description)
## Affected Systems
- Products: FortiWeb (Web Application Firewall)
- Versions: Versions prior to FortiWeb 8.0.2
- Configurations: Not explicitly detailed, but impacts the web application firewall product.
## Vulnerability Description
This is a path-traversal defect in Fortinet FortiWeb that allows an attacker to execute administrative commands. Successful exploitation can lead to a complete takeover of the compromised device. The vendor silently patched this issue 17 days before public disclosure.
## Exploitation
- Status: Exploited in the wild (Attacks confirmed to be widespread since at least early October)
- Complexity: Not explicitly stated, but the outcome suggests relatively low complexity for command execution.
- Attack Vector: Network (Implied by the nature of a web application firewall vulnerability)
## Impact
- Confidentiality: High (Complete takeover suggests potential access to all data)
- Integrity: High (Ability to execute administrative commands suggests total system integrity compromise)
- Availability: High (Complete takeover of the device)
## Remediation
### Patches
- FortiWeb version 8.0.2 (Patch released October 28th)
### Workarounds
- No specific workarounds were detailed in the context, but immediate patching is heavily implied as the primary necessary action.
## Detection
- Indicators of Compromise: Attackers have been observed adding new administrative accounts.
- Detection methods and tools: Researchers at watchTowr released technical analysis and hunting tools to identify potentially vulnerable hosts.
## References
- Vendor Advisory: [fortiguard.com/psirt/FG-IR-25-910](https://www.fortiguard.com/psirt/FG-IR-25-910) (Defanged)
- CISA Alert: [cisa.gov/news-events/alerts/2025/11/14/fortinet-releases-security-advisory-relative-path-traversal-vulnerability-affecting-fortiweb](https://www.cisa.gov/news-events/alerts/2025/11/14/fortinet-releases-security-advisory-relative-path-traversal-vulnerability-affecting-fortiweb) (Defanged)
- Researcher PoC: [x.com/defusedcyber/status/1975242250373517373](https://x.com/defusedcyber/status/1975242250373517373) (Defanged)
- Technical Analysis: [labs.watchtowr.com/when-the-impersonation-function-gets-used-to-impersonate-users-fortinet-fortiweb-auth-bypass/](https://labs.watchtowr.com/when-the-impersonation-function-gets-used-to-impersonate-users-fortinet-fortiweb-auth-bypass/) (Defanged)