Critical FortiWeb WAF Vulnerability Exploited in the Wild: Immediate Action Required
Fortinet has recently disclosed a critical security vulnerability in its FortiWeb Web Application Firewall (WAF), identified as CVE-2025-64446. This flaw is actively being exploited by malicious actors, posing a significant risk to organizations utilizing affected versions of FortiWeb.
Understanding CVE-2025-64446
CVE-2025-64446 is a critical vulnerability stemming from improper access control within the GUI component of FortiWeb. This flaw allows unauthenticated attackers to execute administrative commands via specially crafted HTTP or HTTPS requests. By exploiting this vulnerability, attackers can create unauthorized administrator accounts, granting them full control over the affected device’s configuration and access to sensitive data. The vulnerability has been assigned a CVSS v3.1 base score of 9.1, indicating its severity.
Affected Versions and Immediate Mitigation
The vulnerability affects multiple versions of FortiWeb across various branches:
– FortiWeb 8.0.0 through 8.0.1
– FortiWeb 7.6.0 through 7.6.4
– FortiWeb 7.4.0 through 7.4.9
– FortiWeb 7.2.0 through 7.2.11
– FortiWeb 7.0.0 through 7.0.11
To mitigate the risk, Fortinet has released patched versions:
– FortiWeb 8.0.2 and above
– FortiWeb 7.6.5 and above
– FortiWeb 7.4.10 and above
– FortiWeb 7.2.12 and above
– FortiWeb 7.0.12 and above
Organizations are strongly urged to upgrade to these versions immediately to protect their systems from potential exploitation.
Technical Details and Exploitation
The vulnerability is classified as a relative path traversal issue (CWE-23). Attackers can exploit this flaw by sending crafted HTTP or HTTPS requests that bypass authentication mechanisms. This exploitation can lead to the creation of unauthorized administrator accounts, providing attackers with full access to the device’s configuration and sensitive data. Fortinet’s Product Security Incident Response Team (PSIRT) has confirmed active exploitation of this vulnerability in the wild.
Recommended Actions
In addition to upgrading to the patched versions, Fortinet recommends the following actions:
1. Disable HTTP/HTTPS Access on Internet-Facing Interfaces: As a temporary workaround, disable HTTP or HTTPS access on internet-facing interfaces. This aligns with best practices that limit management access to internal networks only, significantly reducing exposure.
2. Audit Configurations and Logs: After upgrading, organizations should audit configurations and logs for signs of compromise, such as unexpected additions or modifications of administrator accounts. Reviewing access patterns can help detect any unauthorized activity.
Broader Implications
This incident underscores the persistent risks associated with network security appliances, which are prime targets for attackers seeking to infiltrate broader environments. Web Application Firewalls (WAFs) like FortiWeb are designed to protect web applications from threats. However, vulnerabilities within these systems can ironically serve as entry points for attackers. Security experts advise prioritizing patches for critical infrastructure, especially given the ease of exploitation associated with this flaw, as it requires no privileges or user interaction.
Conclusion
The active exploitation of CVE-2025-64446 in FortiWeb WAFs presents a critical security threat. Organizations using affected versions must take immediate action by upgrading to the latest patched versions and implementing recommended security measures. Continuous monitoring and adherence to best practices are essential to safeguard against such vulnerabilities and maintain robust cybersecurity defenses.
