Fortinet’s Silent Patch Raises Eyebrows in Cybersecurity Community
Recently, it has come to light that Fortinet may have quietly addressed a serious zero-day vulnerability within their FortiWeb web application firewall (WAF) over two weeks before making any official announcement. This issue, identified as CVE-2025-64446, has sparked discussions concerning the implications of delayed disclosures in cybersecurity.
Timeline of Events
The vulnerability in question was reportedly exploited as early as October 6, according to findings shared by DefusedCyber on the social media platform X. Fortinet patched this critical, 9.8-rated vulnerability within version 8.0.2 of FortiWeb at the end of October. However, the company didn’t release an advisory to inform users about the exploited nature of the vulnerability until November 14. On the same day as Fortinet’s announcement, the Cybersecurity and Infrastructure Security Agency (CISA) included the CVE-2025-64446 in its Known Exploited Vulnerabilities (KEV) catalog.
Concerns Over Delayed Notification
The absence of immediate notification regarding CVE-2025-64446 has raised alarms among some cybersecurity professionals. Critics argue that the delayed disclosure may have left Fortinet’s customers vulnerable. Caitlin Condon from VulnCheck emphasized in a blog post that silently patching vulnerabilities is a detrimental practice that can empower attackers while putting defenders at a disadvantage.
“When companies choose not to communicate new security issues, they’re effectively issuing an invitation to attackers and withholding crucial information from the defenders,” Condon stated, highlighting a significant flaw in the approach taken by prominent technology vendors.
CVE-2025-64446: A Detailed Look
CVE-2025-64446 is classified as a severe relative path traversal vulnerability affecting multiple versions of Fortinet FortiWeb, specifically versions 8.0.0 to 8.0.1, 7.6.0 to 7.6.4, 7.4.0 to 7.4.9, 7.2.0 to 7.2.11, and 7.0.0 to 7.0.11. This vulnerability potentially allows an attacker to execute administrative commands by sending specially crafted HTTP or HTTPS requests to the system.
Fortinet has strongly recommended that users disable HTTP and HTTPS for interfaces exposed to the internet until they can perform necessary upgrades. “If the HTTP/HTTPS management interface is only accessible internally, the risk is significantly reduced,” the company advised.
Current Landscape and Recommendations
Research from Shadowserver has revealed that there are several hundred internet-facing FortiWeb management instances, which likely remain vulnerable until upgraded. To mitigate risks, Fortinet has encouraged FortiWeb users to review their configurations and logs for any unauthorized modifications or the addition of unknown administrator accounts after applying the upgrades.
Notably, the cybersecurity research organization watchTowr has indicated that CVE-2025-64446 may encompass both a path traversal vulnerability and an authentication bypass vulnerability. They provided an example request stream as evidence of an attacker attempting to exploit such vulnerabilities, which could lead to the addition of unauthorized administrative accounts on the targeted appliance.
WatchTowr further clarified that exploitation of this vulnerability could result in complete compromise of the affected system, which highlights the urgent need for users to take the necessary steps in upgrading their FortiWeb installations.
