A critical Fortinet FortiWeb Web Application Firewall (WAF) vulnerability capable of remote code execution has been exploited in the wild. The bug, identified as CVE-2025-64446, allows an unauthenticated attacker to execute administrative commands on a vulnerable system via crafted HTTP or HTTPS requests.
The vulnerability affects FortiWeb versions 7.4 through 7.4.9, 7.2 through 7.2.11, and 7.0 through 7.0.11, according to Fortinet’s PSIRT advisory. It has a CVSS score of 9.1 and is considered critical.
Customers are advised to patch the vulnerability immediately by updating to versions 8.0.2 or above for FortiWeb 8.0, 7.6.5 or above for FortiWeb 7.6, and so on.
Security experts warn that silently patching vulnerabilities can enable attackers and harm defenders. The bug was apparently not disclosed alongside the latest patch and may have been silently patched.
To reduce risk, customers who cannot upgrade immediately should disable HTTP or HTTPS for Internet-facing interfaces.
Source: https://www.darkreading.com/application-security/critical-fortinet-fortiweb-waf-bug-exploited-in-wild