Critical FortiWeb WAF Vulnerability Exploited in the Wild to Gain Full Control

Fortinet has issued an urgent security advisory for a critical vulnerability in its FortiWeb web application firewall (WAF) that is already being actively exploited in the wild, potentially allowing attackers to create administrator accounts and seize full control of vulnerable appliances.

Tracked as CVE-2025-64446, the flaw carries a CVSS v3.1 base score of 9.1 (Critical) and stems from a relative path traversal issue (CWE-23) in the FortiWeb GUI.

According to Fortinet, an unauthenticated remote attacker can exploit the bug by sending specially crafted HTTP or HTTPS requests to the management interface, enabling the execution of administrative commands on the device.

In practical terms, a successful exploit could allow an attacker to add new administrator users, alter security policies, tamper with logging or alerting configurations, and ultimately leverage the FortiWeb appliance as a powerful foothold for further attacks within the network.

Fortinet confirms it has observed active exploitation of this vulnerability, significantly raising the urgency for organizations to patch or apply mitigations immediately.

The issue affects the following FortiWeb versions:

• FortiWeb 8.0: 8.0.0–8.0.1 (update to 8.0.2 or later)
• FortiWeb 7.6: 7.6.0–7.6.4 (update to 7.6.5 or later)
• FortiWeb 7.4: 7.4.0–7.4.9 (update to 7.4.10 or later)
• FortiWeb 7.2: 7.2.0–7.2.11 (update to 7.2.12 or later)
• FortiWeb 7.0: 7.0.0–7.0.11 (update to 7.0.12 or later)

For organizations unable to patch immediately, Fortinet recommends a critical workaround: disable HTTP and HTTPS access on internet-facing FortiWeb management interfaces.

When the management GUI is only accessible from internal, restricted networks as per best practices, the risk of exploitation is significantly reduced, though not eliminated.

After applying the necessary updates, Fortinet strongly advises customers to review device configurations and audit logs for signs of compromise.

Administrators should look for unexpected configuration changes and the presence of any unauthorized administrator accounts, which may indicate successful exploitation prior to patching.

Fortinet published its advisory on November 14, 2025, and has provided CVRF and CSAF documents with full technical details to assist enterprises and security teams in assessing exposure and prioritizing remediation.

Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.

The post Critical FortiWeb WAF Vulnerability Exploited in the Wild to Gain Full Control appeared first on Cyber Security News.