CVE-2025-64446
published 2025-11-14CVE-2025-64446: A relative path traversal vulnerability in Fortinet FortiWeb 8.0.0 through 8.0.1, FortiWeb 7.6.0 through 7.6.4, FortiWeb 7.4.0 through 7.4.9, FortiWeb 7.2.0…
PriorityP199critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITWEXPLOITRansomwareInitial access
CISA Known Exploited Vulnerabilitydue 2025-11-21
Exploited in the wild
EPSS
89.53%
99.8th percentile
A relative path traversal vulnerability in Fortinet FortiWeb 8.0.0 through 8.0.1, FortiWeb 7.6.0 through 7.6.4, FortiWeb 7.4.0 through 7.4.9, FortiWeb 7.2.0 through 7.2.11, FortiWeb 7.0.0 through 7.0.11 may allow an attacker to execute administrative commands on the system via crafted HTTP or HTTPS requests.
Affected
12 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| fortinet | fortinet | — | — |
| fortinet | fortiweb | — | — |
| fortinet | fortiweb | >= 7.0.0 < 7.0.12 | 7.0.12 |
| fortinet | fortiweb | 7.0.0 – 7.0.11 | — |
| fortinet | fortiweb | >= 7.2.0 < 7.2.12 | 7.2.12 |
| fortinet | fortiweb | 7.2.0 – 7.2.11 | — |
| fortinet | fortiweb | >= 7.4.0 < 7.4.10 | 7.4.10 |
| fortinet | fortiweb | 7.4.0 – 7.4.9 | — |
| fortinet | fortiweb | >= 7.6.0 < 7.6.5 | 7.6.5 |
| fortinet | fortiweb | 7.6.0 – 7.6.4 | — |
| fortinet | fortiweb | >= 8.0.0 < 8.0.2 | 8.0.2 |
| fortinet | fortiweb | 8.0.0 – 8.0.1 | — |
Detection & IOCsextracted from sources · hover to see the quote
otherCGIINFO header: base64-encoded JSON with username=admin, profname=super_admin, vdom=root, loginname=admin↗
- →Look for POST requests containing path traversal sequences targeting /api/v2.0/cmd/system/admin%3F/../../../../../cgi-bin/fwbcgi in HTTP/HTTPS logs on FortiWeb devices. ↗
- →Detect requests containing base64-encoded CGIINFO HTTP headers, which are used to impersonate the built-in admin account via the cgi_auth() function. ↗
- →Review logs for Base64-encoded CGIINFO headers as an indicator of exploitation attempts. ↗
- →Recorded Future's Insikt Group created a Nuclei template for non-intrusive detection of the path traversal without creating accounts or modifying system state. ↗
- →Sicarii ransomware was observed checking for CVE-2025-64446 exploitation against Fortinet devices as part of its attack chain. ↗
- ·The path traversal works because the URI begins with a valid API path; the %3F (URL-encoded '?') is used to traverse from the API endpoint to the underlying CGI binary. The exact number of traversal segments may vary (e.g., /../../../ vs /../../../../../). ↗
- ·Active exploitation has been observed since early October 2025, prior to public disclosure; approximately 4,768 FortiWeb instances were exposed on Shodan at time of reporting. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck9.8CRITICAL
cisa9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-hp5v-vp9j-7vp9: A relative path traversal vulnerability in Fortinet FortiWeb 8
ghsa_unreviewed·2025-11-14
CVE-2025-64446 [CRITICAL] CWE-23 GHSA-hp5v-vp9j-7vp9: A relative path traversal vulnerability in Fortinet FortiWeb 8
A relative path traversal vulnerability in Fortinet FortiWeb 8.0.0 through 8.0.1, FortiWeb 7.6.0 through 7.6.4, FortiWeb 7.4.0 through 7.4.9, FortiWeb 7.2.0 through 7.2.11, FortiWeb 7.0.0 through 7.0.11 may allow an attacker to execute administrative commands on the system via crafted HTTP or HTTPS requests.
VulnCheck
Fortinet FortiWeb Path Traversal Vulnerability
vulncheck·2025·CVSS 9.8
CVE-2025-64446 [CRITICAL] CWE-23 Fortinet FortiWeb Path Traversal Vulnerability
Fortinet FortiWeb Path Traversal Vulnerability
Fortinet FortiWeb contains a relative path traversal vulnerability that may allow an unauthenticated attacker to execute administrative commands on the system via crafted HTTP or HTTPS requests.
Affected: Fortinet FortiWeb
Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Known Ransomware Campaign Use: Known
Exploitation References: https://x.com/DefusedCyber/status/1975242250373517373; https://www.pwndefend.com/2025/11/13/suspected-fortinet-zero-day-exploited-in-the-wild/; https://app.crowdsec.net/cti/cve-explorer/CVE-2025-64446; https://arcticwolf.com/resources/blog/cve-2025-64446/; https://blog.qualys.com
VulnCheck
Fortinet FortiWeb SQL Injection Vulnerability
vulncheck·2025·CVSS 9.8
CVE-2025-25257 [CRITICAL] CWE-89 Fortinet FortiWeb SQL Injection Vulnerability
Fortinet FortiWeb SQL Injection Vulnerability
Fortinet FortiWeb contains a SQL injection vulnerability that may allow an unauthenticated attacker to execute unauthorized SQL code or commands via crafted HTTP or HTTPs requests.
Affected: Fortinet FortiWeb
Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Exploitation References: https://app.crowdsec.net/cti/cve-explorer/CVE-2025-25257; https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2025-07-13&host_type=src&vulnerability=cve-2025-25257; https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2025-07-14&host_type=src&vulnerability=cve-2025-25257; https://d
Fortinet
A relative path traversal vulnerability in Fortinet FortiWeb 8.0.0 through 8.0.1, FortiWeb 7.6.0 through 7.6.4, FortiWeb...
vendor_fortinet·2025-11-14·CVSS 9.8
CVE-2025-64446 [CRITICAL] CWE-23 A relative path traversal vulnerability in Fortinet FortiWeb 8.0.0 through 8.0.1, FortiWeb 7.6.0 through 7.6.4, FortiWeb...
FG-IR-25-910: A relative path traversal vulnerability in Fortinet FortiWeb 8.0.0 through 8.0.1, FortiWeb 7.6.0 through 7.6.4, FortiWeb...
A relative path traversal vulnerability in Fortinet FortiWeb 8.0.0 through 8.0.1, FortiWeb 7.6.0 through 7.6.4, FortiWeb 7.4.0 through 7.4.9, FortiWeb 7.2.0 through 7.2.11, FortiWeb 7.0.0 through 7.0.11 may allow an attacker to execute administrative commands on the system via crafted HTTP or HTTPS requests.
CVEs: CVE-2025-64446
CWEs: CWE-23
CVSS: 9.8 (critical)
Affected products: FortiWeb, Fortinet
CISA
Fortinet FortiWeb Path Traversal Vulnerability
cisa·2025-11-14·CVSS 9.8
CVE-2025-64446 [CRITICAL] CWE-23 Fortinet FortiWeb Path Traversal Vulnerability
Vulnerability: Fortinet FortiWeb Path Traversal Vulnerability
Affected: Fortinet FortiWeb
Fortinet FortiWeb contains a relative path traversal vulnerability that may allow an unauthenticated attacker to execute administrative commands on the system via crafted HTTP or HTTPS requests.
Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Notes: https://www.fortiguard.com/psirt/FG-IR-25-910 ; https://nvd.nist.gov/vuln/detail/CVE-2025-64446
Remediation Due Date: 2025-11-21
No detection rules found.
Exploit-DB
FortiWeb 8.0.2 - Remote Code Execution
exploitdb·2026-04-08·CVSS 9.8
CVE-2025-64446 [CRITICAL] FortiWeb 8.0.2 - Remote Code Execution
FortiWeb 8.0.2 - Remote Code Execution
---
# Exploit Title: FortiWeb 8.0.2 - Remote Code Execution
# Date: 2025-11-22
# Author: Mohammed Idrees Banyamer
# Author Country: Jordan
# Instagram: @banyamer_security
# GitHub: https://github.com/mbanyamer
# Vendor Homepage: https://www.fortinet.com
# Software Link: https://www.fortinet.com/products/web-application-firewall/fortiweb
# Version: FortiWeb ")
print("Example: python3 fortiweb_rce.py https://192.168.100.50:8443 192.168.45.10 4444")
print("\nSteps:")
print(" 1. Start listener → nc -lvnp 4444")
print(" 2. Run exploit → python3 fortiweb_rce.py 4444")
print(" 3. Get root shell → enjoy\n")
sys.exit(1)
banner()
target = sys.argv[1].rstrip("/")
LHOST = sys.argv[2]
LPORT = sys.argv[3]
print(f"[*] Target : {target}")
print(f"[*] Callback : {
Exploit-DB
Fortinet FortiWeb v8.0.1 - Auth Bypass
exploitdb·2026-04-06·CVSS 9.8
CVE-2025-64446 [CRITICAL] Fortinet FortiWeb v8.0.1 - Auth Bypass
Fortinet FortiWeb v8.0.1 - Auth Bypass
---
# Titles:Fortinet FortiWeb v8.0.1 - Auth Bypass
# Author: nu11secur1ty
# Date: 11/15/2025
# Vendor: https://www.fortinet.com/
# Software: v8.0.1
# Reference: https://nvd.nist.gov/vuln/detail/CVE-2025-64446
## Description:
CVE-2025-64446 is a critical path traversal vulnerability affecting
multiple versions of Fortinet FortiWeb, a Web Application Firewall (WAF)
used to protect web applications and APIs.
The vulnerability allows an unauthenticated remote attacker to send
specially crafted HTTP/HTTPS requests that may result in administrative
access bypass on vulnerable FortiWeb systems.
## Severity
- CVSS v3.1 Score: 9.8 (Critical)
- Attack Vector: Network
- Privileges Required: None (Unauthenticated)
- User Interaction: None
- Impact: High (Aut
Metasploit
Fortinet FortiWeb unauthenticated RCE
metasploit·CVSS 7.2
CVE-2025-64446 [HIGH] Fortinet FortiWeb unauthenticated RCE
Fortinet FortiWeb unauthenticated RCE
This exploit module exploits an authentication bypass via path traversal vulnerability in the Fortinet FortiWeb management interface to create a new local administrator user account. From there a command injection vulnerability is leveraged to achieve RCE with root privileges. The auth bypass CVE-2025-64446 affects the following versions: * FortiWeb 8.0.0 through 8.0.1 (Patched in 8.0.2 and above) * FortiWeb 7.6.0 through 7.6.4 (Patched in 7.6.5 and above) * FortiWeb 7.4.0 through 7.4.9 (Patched in 7.4.10 and above) * FortiWeb 7.2.0 through 7.2.11 (Patched in 7.2.12 and above) * FortiWeb 7.0.0 through 7.0.11 (Patched in 7.0.12 and above) The command injection CVE-2025-58034 affects the following versions (Note the 7.6 and 7.4 branches are very slightl
Metasploit
Fortinet FortiWeb create new local admin
metasploit
Fortinet FortiWeb create new local admin
Fortinet FortiWeb create new local admin
This auxiliary module exploits an authentication bypass via path traversal vulnerability in the Fortinet FortiWeb management interface to create a new local administrator user account. This vulnerability affects the following versions: * FortiWeb 8.0.0 through 8.0.1 (Patched in 8.0.2 and above) * FortiWeb 7.6.0 through 7.6.4 (Patched in 7.6.5 and above) * FortiWeb 7.4.0 through 7.4.9 (Patched in 7.4.10 and above) * FortiWeb 7.2.0 through 7.2.11 (Patched in 7.2.12 and above) * FortiWeb 7.0.0 through 7.0.11 (Patched in 7.0.12 and above)
Nuclei
FortiWeb - Authentication Bypass
nuclei·CVSS 9.8
CVE-2025-64446 [CRITICAL] FortiWeb - Authentication Bypass
FortiWeb - Authentication Bypass
A relative path traversal vulnerability in Fortinet FortiWeb 8.0.0 through 8.0.1, FortiWeb 7.6.0 through 7.6.4, FortiWeb 7.4.0 through 7.4.9, FortiWeb 7.2.0 through 7.2.11, FortiWeb 7.0.0 through 7.0.11 may allow an attacker to execute administrative commands on the system via crafted HTTP or HTTPS requests.
Template:
id: CVE-2025-64446
info:
name: FortiWeb - Authentication Bypass
author: DhiyaneshDk,watchTowr,rapid7,defusedcyber
severity: critical
description: |
A relative path traversal vulnerability in Fortinet FortiWeb 8.0.0 through 8.0.1, FortiWeb 7.6.0 through 7.6.4, FortiWeb 7.4.0 through 7.4.9, FortiWeb 7.2.0 through 7.2.11, FortiWeb 7.0.0 through 7.0.11 may allow an attacker to execute administrative commands on the system via crafted HTTP or H
Tenable
CVE-2026-35616: Fortinet FortiClientEMS improper access control vulnerability exploited in the wild
blogs_tenable·2026-04-06·CVSS 9.8
[CRITICAL] CVE-2026-35616: Fortinet FortiClientEMS improper access control vulnerability exploited in the wild
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Bleepingcomputer
Hackers now exploiting critical Fortinet FortiSIEM flaw in attacks
blogs_bleepingcomputer·2026-01-16·CVSS 9.8
CVE-2025-64155 [CRITICAL] Hackers now exploiting critical Fortinet FortiSIEM flaw in attacks
## Hackers now exploiting critical Fortinet FortiSIEM flaw in attacks
## Sergiu Gatlan
A critical Fortinet FortiSIEM vulnerability with publicly available proof-of-concept exploit code is now being abused in attacks.
According to security researcher Zach Hanley at penetration testing company Horizon3.ai, who reported the vulnerability ( CVE-2025-64155 ), it is a combination of two issues that allow arbitrary writes with admin permissions and privilege escalation to root access.
"An improper neutralization of special elements used in an OS command ('OS Command Injection') vulnerability [CWE-78] in FortiSIEM may allow an unauthenticated attacker to execute unauthorized code or commands via crafted TCP requests," Fortinet explained on Tuesday, when it released security updates to patch th
Tenable
CVE-2025-64155 PoC released Command Injection Vulnerability
blogs_tenable·2026-01-14·CVSS 9.8
[CRITICAL] CVE-2025-64155 PoC released Command Injection Vulnerability
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Checkpoint
Sicarii Ransomware: Truth vs Myth
blogs_checkpoint·2026-01-14
CVE-2025-64446 Sicarii Ransomware: Truth vs Myth
Latest Publications
CPR Podcast Channel
AI Research
Web 3.0 Security
Intelligence Reports
ThreatCloud AI
Threat Intelligence & Research
Zero Day Protection
Sandblast File Analysis
About Us
SUBSCRIBE
AI Research 2
Android Malware 23
Artificial Intelligence 4
ChatGPT 3
Check Point Research Publications 455
Cloud Security 1
CPRadio 44
Crypto 2
Data & Threat Intelligence 2
Data Analysis 0
Demos 22
Global Cyber Attack Reports 408
How To Guides 13
Ransomware 5
Russo-Ukrainian War 1
Security Report 1
Threat and data analysis 0
Threat Research 174
Web 3.0 Security 11
Wipers 0
## Sicarii Ransomware: Truth vs Myth
## Key findings
Sicarii is a newly observed RaaS operation that surfaced in late 2025 and has only published 1 claimed victim.
The group explicitly bra
Bleepingcomputer
Over 10K Fortinet firewalls exposed to actively exploited 2FA bypass
blogs_bleepingcomputer·2026-01-02·CVSS 9.8
CVE-2020-12812 [CRITICAL] Over 10K Fortinet firewalls exposed to actively exploited 2FA bypass
## Over 10K Fortinet firewalls exposed to actively exploited 2FA bypass
## Sergiu Gatlan
Over 10,000 Fortinet firewalls are still exposed online and vulnerable to ongoing attacks exploiting a five-year-old critical two-factor authentication (2FA) bypass vulnerability.
Fortinet released FortiOS versions 6.4.1, 6.2.4, and 6.0.10 in July 2020 to address this flaw (tracked as CVE-2020-12812 ) and advised admins who couldn't immediately patch to turn off username-case-sensitivity to block 2FA bypass attempts targeting their devices.
This improper authentication security flaw (rated 9.8/10 in severity) was found in FortiGate SSL VPN and allows attackers to log in to unpatched firewalls without being prompted for the second factor of authentication (FortiToken) when the username's case is cha
Bleepingcomputer
Fortinet warns of 5-year-old FortiOS 2FA bypass still exploited in attacks
blogs_bleepingcomputer·2025-12-29·CVSS 9.8
CVE-2020-12812 [CRITICAL] Fortinet warns of 5-year-old FortiOS 2FA bypass still exploited in attacks
## Fortinet warns of 5-year-old FortiOS 2FA bypass still exploited in attacks
## Sergiu Gatlan
Fortinet has warned customers that threat actors are still actively exploiting a critical FortiOS vulnerability that allows them to bypass two-factor authentication (2FA) when targeting vulnerable FortiGate firewalls.
Tracked as CVE-2020-12812 , this improper authentication security flaw was found in FortiGate SSL VPN and enables attackers to log in to unpatched firewalls without being prompted for the second factor of authentication (FortiToken) when changing the case of the username.
"This happens when two-factor authentication is enabled in the 'user local' setting, and that user authentication type is set to a remote authentication method (eg: ldap)," Fortinet explained when it patched th
Bleepingcomputer
Over 25,000 FortiCloud SSO devices exposed to remote attacks
blogs_bleepingcomputer·2025-12-19·CVSS 9.8
CVE-2025-59718 [CRITICAL] Over 25,000 FortiCloud SSO devices exposed to remote attacks
## Over 25,000 FortiCloud SSO devices exposed to remote attacks
## Sergiu Gatlan
Internet security watchdog Shadowserver has found over 25,000 Fortinet devices exposed online with FortiCloud SSO enabled, amid ongoing attacks targeting a critical authentication bypass vulnerability.
Fortinet noted on December 9th, when it patched the security flaw tracked as CVE-2025-59718 (FortiOS, FortiProxy, FortiSwitchManager) and CVE-2025-59719 (FortiWeb), that the vulnerable FortiCloud SSO login feature is not enabled until admins register the device with the company's FortiCare support service.
As cybersecurity company Arctic Wolf reported on Monday , the vulnerability is now actively exploited to compromise admin accounts via malicious single sign-on (SSO) logins.
Threat actors are abusing it i
Recorded Future
November 2025 CVE Landscape: 10 Critical Vulnerabilities Show 69% Drop from October
blogs_recorded_future·2025-12-09·CVSS 8.8
CVE-2025-64446 [HIGH] November 2025 CVE Landscape: 10 Critical Vulnerabilities Show 69% Drop from October
## November 2025 CVE Landscape: 10 Critical Vulnerabilities Show 69% Drop from October
November 2025 saw a significant 69% decrease in high-impact vulnerabilities, with Recorded Future's Insikt Group® identifying 10 vulnerabilities requiring immediate attention, down from 32 in October .
What security teams need to know:
Fortinet leads concerns: Two critical FortiWeb vulnerabilities (CVE-2025-64446 and CVE-2025-58034) are under active exploitation
LANDFALL spyware campaign: Threat actors weaponized Samsung's image processing flaw (CVE-2025-21042) for zero-click Android attacks
Public exploits proliferate: Seven of ten vulnerabilities have public proof-of-concept code available
OS Command Injection and Out-of-bounds Write were tied as the most common weakness types
Bottom line: The r
Bleepingcomputer
Fortinet warns of critical FortiCloud SSO login auth bypass flaws
blogs_bleepingcomputer·2025-12-09·CVSS 9.8
CVE-2025-59718 [CRITICAL] Fortinet warns of critical FortiCloud SSO login auth bypass flaws
## Fortinet warns of critical FortiCloud SSO login auth bypass flaws
## Sergiu Gatlan
Fortinet has released security updates to address two critical vulnerabilities in FortiOS, FortiWeb, FortiProxy, and FortiSwitchManager that could allow attackers to bypass FortiCloud SSO authentication.
Threat actors can exploit the two security flaws tracked as CVE-2025-59718 (FortiOS, FortiProxy, FortiSwitchManager) and CVE-2025-59719 (FortiWeb) by abusing improper verification of cryptographic signature weaknesses in vulnerable products via a maliciously crafted SAML message.
However, as Fortinet explained in an advisory published today, the vulnerable FortiCloud feature is not enabled by default when the device is not FortiCare-registered.
"Please note that the FortiCloud SSO login feature is no
Wiz
Supply Chain Attacks & AI Vulnerabilities: December Cloud Security Update | Wiz
blogs_wiz·2025-12-01·CVSS 10.0
[CRITICAL] Supply Chain Attacks & AI Vulnerabilities: December Cloud Security Update | Wiz
Welcome back! This edition delivers the latest cloud security highlights: key breaches, unique data findings, and must-watch vulnerabilities. Let’s jump in.
🔍 Highlights
Shai-Hulud 2.0: Ongoing Supply Chain Campaign Referencing Shai-Hulud
A new npm supply-chain campaign referencing Shai-Hulud temporarily compromised packages from Zapier, ENS Domains, PostHog, Postman, and others. This wave leveraged temporarily compromised npm maintainer accounts to publish trojanized versions of legitimate packages from major ecosystems. Wiz observed over 25,000 repositories containing secrets across ~350 unique users.
The malicious packages execute code during the preinstall phase, enabling theft of developer and CI/CD secrets and automated propagation to new repositories. Exfiltration is conducted c
Bleepingcomputer
CISA gives govt agencies 7 days to patch new Fortinet flaw
blogs_bleepingcomputer·2025-11-19·CVSS 7.2
CVE-2025-58034 [HIGH] CISA gives govt agencies 7 days to patch new Fortinet flaw
## CISA gives govt agencies 7 days to patch new Fortinet flaw
## Sergiu Gatlan
CISA has ordered U.S. government agencies to secure their systems within a week against another vulnerability in Fortinet's FortiWeb web application firewall, which was exploited in zero-day attacks.
Tracked as CVE-2025-58034 , this OS command injection flaw can allow authenticated threat actors to execute code as root in low-complexity attacks that don't require user interaction.
"An Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability [CWE-78] in FortiWeb may allow an authenticated attacker to execute unauthorized code on the underlying system via crafted HTTP requests or CLI commands," Fortinet said on Tuesday.
"The specific flaw exists within the imple
Bleepingcomputer
Fortinet warns of new FortiWeb zero-day exploited in attacks
blogs_bleepingcomputer·2025-11-18·CVSS 7.2
CVE-2025-58034 [HIGH] Fortinet warns of new FortiWeb zero-day exploited in attacks
## Fortinet warns of new FortiWeb zero-day exploited in attacks
## Sergiu Gatlan
Today, Fortinet released security updates to patch a new FortiWeb zero-day vulnerability that threat actors are actively exploiting in attacks.
Tracked as CVE-2025-58034 , this web application firewall security flaw was reported by Jason McFadyen of Trend Micro's Trend Research team.
Authenticated threat actors can gain code execution by successfully exploiting this OS command injection vulnerability in low-complexity attacks that don't require user interaction.
"An Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability [CWE-78] in FortiWeb may allow an authenticated attacker to execute unauthorized code on the underlying system via crafted HTTP requests o
Qualys
Unauthenticated Authentication Bypass in Fortinet FortiWeb (CVE-2025-64446) Exploited in the Wild | Qualys
blogs_qualys·2025-11-15·CVSS 9.8
CVE-2025-64446 [CRITICAL] Unauthenticated Authentication Bypass in Fortinet FortiWeb (CVE-2025-64446) Exploited in the Wild | Qualys
#### Table of Contents
- Technical Analysis:
- Affected Versions:
- Qualys Detection Resources
- Mitigation Recommendations
- Indicators of Compromise:
- Eliminating the Risk of These Vulnerabilities with the Qualys Enterprise TruRiskTMPlatform
A critical authentication bypass vulnerability affecting Fortinet FortiWeb web application firewalls has been actively exploited since early October 2025. The vulnerability allows unauthenticated attackers to create admin accounts and gain complete control over vulnerable devices exposed to the internet. It is being officially tracked as CVE-2025-64446 with a CVSS v3.1 score of 9.8 (Critical). CISA has added CVE-2025-64446 to the CISA KEV catalog earlier today with a required remediation due date of November 21, 2025.
## Technical Analysis:
The
Qualys
Unauthenticated Authentication Bypass in Fortinet FortiWeb (CVE-2025-64446) Exploited in the Wild
blogs_qualys·2025-11-15·CVSS 9.8
[CRITICAL] Unauthenticated Authentication Bypass in Fortinet FortiWeb (CVE-2025-64446) Exploited in the Wild
## Table of Contents
Technical Analysis:
Affected Versions:
Qualys Detection Resources
Mitigation Recommendations
Indicators of Compromise:
Eliminating the Risk of These Vulnerabilities with the Qualys Enterprise TruRiskTMPlatform
A critical authentication bypass vulnerability affecting Fortinet FortiWeb web application firewalls has been actively exploited since early October 2025. The vulnerability allows unauthenticated attackers to create admin accounts and gain complete control over vulnerable devices exposed to the internet. It is being officially tracked as CVE-2025-64446 with a CVSS v3.1 score of 9.8 (Critical). CISA has added CVE-2025-64446 to the CISA KEV catalog earlier today with a required remediation due date of November 21, 2025.
## Technical Analysis:
The vulnerabi
Tenable
CVE-2025-64446 FortiWeb Zero-Day Exploited
blogs_tenable·2025-11-14·CVSS 9.8
[CRITICAL] CVE-2025-64446 FortiWeb Zero-Day Exploited
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Bleepingcomputer
Fortinet confirms silent patch for FortiWeb zero-day exploited in attacks
blogs_bleepingcomputer·2025-11-14·CVSS 9.8
[CRITICAL] Fortinet confirms silent patch for FortiWeb zero-day exploited in attacks
## Fortinet confirms silent patch for FortiWeb zero-day exploited in attacks
## Sergiu Gatlan
Fortinet has confirmed that it has silently patched a critical zero-day vulnerability in its FortiWeb web application firewall, which is now " massively exploited in the wild."
The flaw was silently patched after reports that unauthenticated attackers were exploiting an unknown FortiWeb path traversal flaw in early October to create new administrative users on Internet-exposed devices.
The attacks were first identified by threat intel firm Defused on October 6, which published a proof-of-concept exploit and reported that an "unknown Fortinet exploit (possibly a CVE-2022-40684 variant)" is being used to send HTTP POST requests to the /api/v2.0/cmdb/system/admin%3f/../../../../../cgi-bin/fwbcgi
Recorded Future
November 2025 CVE Landscape: 10 Critical Vulnerabilities Show 69% Drop from October
blogs_recorded_future·CVSS 5.4
CVE-2025-64446 [MEDIUM] November 2025 CVE Landscape: 10 Critical Vulnerabilities Show 69% Drop from October
# November 2025 CVE Landscape: 10 Critical Vulnerabilities Show 69% Drop from October
November 2025 saw a significant 69% decrease in high-impact vulnerabilities, with Recorded Future's Insikt Group® identifying 10 vulnerabilities requiring immediate attention, down from 32 in October.
What security teams need to know:
- Fortinet leads concerns: Two critical FortiWeb vulnerabilities (CVE-2025-64446 and CVE-2025-58034) are under active exploitation
- LANDFALL spyware campaign: Threat actors weaponized Samsung's image processing flaw (CVE-2025-21042) for zero-click Android attacks
- Public exploits proliferate: Seven of ten vulnerabilities have public proof-of-concept code available
- OS Command Injection and Out-of-bounds Write were tied as the most common weakness types
Bottom line: Th
Greynoiseio
NoiseLetter November 2025
blogs_greynoiseio
NoiseLetter November 2025
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
arXiv
Future-Back Threat Modeling: A Foresight-Driven Security Framework
arxiv_fulltext·2025-11-24
Future-Back Threat Modeling: A Foresight-Driven Security Framework
## Abstract
Traditional threat modeling remains reactive—focused on known TTPs and past incident data—while threat prediction and forecasting frameworks are often disconnected from operational or architectural artifacts. This creates a fundamental weakness: the most serious cyber threats often do not arise from what is known, but from what is assumed, overlooked, or not yet conceived, and frequently originate from the future—such as artificial intelligence, information warfare, and supply chain attacks—where adversaries continuously develop new exploits that can bypass defenses built on current knowledge.
To address this mental gap, this paper introduces the theory and methodology of Future-Back Threat Modeling (FBTM). This predictive approach begins with envisioned future threat states
2025-11-14
Published
2025-11-14
Added to CISA KEV
Exploited in the wild