Fortinet, a web application firewall provider, has faced criticism for its delayed alert on a critical vulnerability in one of its products. The actively exploited flaw poses significant risks to customers and allows attackers to execute administrative commands, leading to complete device takeover.
The vulnerability, CVE-2025-64446, has a CVSS rating of 9.8 and was first spotted by researchers at Defused on October 6. However, Fortinet did not publicly disclose the issue until October 25, when it confirmed that the vulnerability had been exploited in the wild.
Researchers and federal authorities issued warnings, including technical analysis and proof-of-concept exploit tools to help organizations identify vulnerable hosts. Despite this, some customers may have missed the opportunity to patch their systems due to Fortinet’s delayed communication.
“The delay led many users not to apply the patch that actually fixed the vulnerability,” said Ben Harris, founder and CEO of watchTowr. “Had they known, they would have likely updated right away.”
Security experts agree that Fortinet’s delayed alert put defenders at a disadvantage. “It was being exploited before customers had any formal awareness, guidance or patch information,” said Ryan Emmons, security researcher at Rapid7.
Fortinet has since released a software update and provided recommendations for affected customers. However, the incident highlights the importance of timely vendor communication and cooperation in the cybersecurity community.
The vulnerability falls under a gray area of definition, but researchers and experts agree that it had functional behavior as a zero-day exploit due to Fortinet’s delayed public disclosure. Security teams are already overwhelmed with vulnerability patches, making it challenging for them to address every issue immediately.
Fortinet’s delayed alert on this critical vulnerability left defenders at a disadvantage from the start. The incident serves as a reminder of the importance of timely communication and cooperation in the cybersecurity community.
Source: https://cyberscoop.com/fortinet-delayed-disclosure-exploited-vulnerability