The US government has issued an alert to federal agencies about a critical Fortinet bug that hackers are exploiting. The vulnerability affects FortiWeb, a web application firewall used by governments and large businesses worldwide. Cybersecurity agency CISA (Cybersecurity and Infrastructure Security Agency) gave all federal civilian agencies one week to patch the CVE-2025-64446 bug.
CISA warned that users should disable HTTP or HTTPS for internet-facing interfaces if they can’t upgrade affected systems immediately. Fortinet published an advisory rating the bug as “critical” with a severity score of 9.1 out of 10.
The issue was first reported by cybersecurity firm Defused on October 6, and since then, experts have observed widespread exploitation in-the-wild. WatchTowr CEO Benjamin Harris said his company is seeing active exploitation of the vulnerability, while Rapid7 noted that hackers can gain administrator-level access to FortiWeb using this exploit.
Fortinet has urged customers to upgrade to patched versions, but it’s unclear when the patch was released or if it was publicly disclosed without notification. The latest vulnerability adds to a growing list of issues affecting Fortinet products, with 21 vulnerabilities now on CISA’s Known Exploited Vulnerabilities list.
Source: https://therecord.media/fortinet-fortiweb-vulnerability-cisa-advisory