Saturday, November 15, 2025
Latest:

Threatshub.org sponsored-Post

The Register

Fortinet finally cops to critical make-me-admin bug under active exploitation

TH Author

Fortinet finally published a security advisory on Friday for a critical FortiWeb path traversal vulnerability under active exploitation – but it appears digital intruders got a month’s head start.

The bug, now tracked as CVE-2025-64446, allows unauthenticated attackers to execute administrative commands on Fortinet’s web application firewall product and fully take over vulnerable devices. It’s fully patched in FortiWeb version 8.0.2, but it didn’t even have a CVE assigned to it until Friday, when the vendor admitted to having “observed this to be exploited in the wild.”

Also on Friday, the US Cybersecurity and Infrastructure Agency (CISA) added CVE-2025-64446 to its Known Exploited Vulnerabilities Catalog.

A Fortinet spokesperson declined to answer The Register‘s questions about exploitation, including the scope of the attacks and when they began, and emailed us this statement:

However, it appears a proof-of-concept (PoC) exploit has been making the rounds since early October, and third-party security sleuths have told The Register that exploitation is widespread.

“The watchTowr team is seeing active, indiscriminate in-the-wild exploitation of what appears to be a silently patched vulnerability in Fortinet’s FortiWeb product,” watchTowr CEO and founder Benjamin Harris told us prior to Fortinet’s security advisory.

“The vulnerability allows attackers to perform actions as a privileged user – with in-the-wild exploitation focusing on adding a new administrator account as a basic persistence mechanism for the attackers,” he added.

The vulnerability allows attackers to perform actions as a privileged user – with in-the-wild exploitation focusing on adding a new administrator account as a basic persistence mechanism for the attackers

WatchTowr successfully reproduced the vulnerability and created a working PoC, along with a Detection Artefact Generator to help defenders identify vulnerable hosts in their IT environments.

Despite the fix in version 8.0.2, the attacks remain ongoing, and at least 80,000 FortiWeb web app firewalls are connected to the internet, according to Harris.

“Apply patches if you haven’t already,” he advised. “That said, given the indiscriminate exploitation observed by the watchTowr team and our Attacker Eye sensor network, appliances that remain unpatched are likely already compromised.”

The battering attempts against Fortinet’s web application firewalls date back to October 6, when cyber deception firm Defused published a PoC on social media that one of their FortiWeb Manager honeypots caught. At the time, the bug hadn’t been disclosed nor did it have a CVE.

According to Rapid7 threat hunters, the PoC doesn’t work against the latest FortiWeb version, but it does work against earlier releases, including 8.0.1 released in August.

The security shop also spotted an apparent zero-day exploit targeting FortiWeb listed for sale on November 6 on a malware- and exploit-slinging marketplace. “While it is not clear at this time if this is the same exploit as the one described above, the timing is coincidental,” the Rapid7 bug hunters said.

“We’re aware of exploitation going back to at least early October, though it may have begun earlier, and we believe that exploitation attempts are actively ongoing,” Rapid7 security researcher Ryan Emmons told The Register. “It’s unclear whether the responsible threat actors were aware of this vulnerability prior to the release of the most recent FortiWeb software update, 8.0.2, which patched the vulnerability.”

Emmons described the fix as “a coincidental one that inadvertently remediated the vulnerability,” adding that the attackers may have learned about the bug by analyzing the October software release.

“This wouldn’t be surprising, as many threat actors closely monitor changes in popular software to spot newly-introduced flaws and fresh bug fixes,” he said. “Alternatively, perhaps the fix was an intentional silent patch by Fortinet for a known vulnerability that attackers had already discovered and weaponized; however, it’s unclear why Fortinet wouldn’t have warned their customer base when the patch went out if this were the case.”

This story, much like the exploitation of CVE-2025-64446, remains ongoing, and The Register will provide updates as we learn more about the FortiWeb attacks. ®

Editor’s note: This story was amended post-publication with comment from Ryan Emmons.

READ MORE HERE