Fortinet finally cops to critical make-me-admin bug under active exploitation
Summary
Fortinet has published an advisory for a critical FortiWeb path traversal vulnerability, now tracked as CVE-2025-64446, after third parties publicised a proof-of-concept and evidence of active exploitation. The bug allows unauthenticated attackers to execute administrative commands and add persistent administrator accounts on vulnerable FortiWeb appliances. Fortinet’s fix appears in FortiWeb 8.0.2, and CISA has added the CVE to its Known Exploited Vulnerabilities Catalog, but security researchers report that exploitation has been ongoing since early October and that many unpatched devices are likely compromised.
Independent teams (watchTowr, Rapid7, Defused) reproduced the issue, released detection artefacts and PoCs, and observed indiscriminate, in-the-wild attacks focused on creating admin accounts. Rapid7 noted the patch in 8.0.2 may have inadvertently fixed the flaw; attackers often monitor software changes and may have weaponised the vulnerability quickly. At least ~80,000 FortiWeb units are internet-connected and potentially exposed.
Key Points
- CVE-2025-64446 is a critical FortiWeb path traversal that allows unauthenticated administrative actions and full takeover of affected devices.
- Fortinet released a fix in FortiWeb 8.0.2 and officially acknowledged exploitation only after PoCs and attack evidence circulated.
- CISA has added the CVE to its Known Exploited Vulnerabilities Catalog, raising urgency for defenders to act.
- Security teams (watchTowr, Rapid7, Defused) saw active exploitation from early October and published PoCs, detection artefacts and hunting guidance.
- Attackers observed are adding administrator accounts as a persistence mechanism — meaning patched devices may still be compromised if not checked for backdoors.
- Rapid7 warns the 8.0.2 fix may have been coincidental; attackers frequently analyse releases and fixes to discover exploitable changes.
Context and relevance
This is significant because FortiWeb is a web application firewall — a frontline defence for many organisations. A remotely exploitable vulnerability that grants admin privileges undermines trust in those defences and can be used to pivot, exfiltrate data or deploy ransomware. The incident also highlights two recurring problems: vendors sometimes patch silently (or fixes are uncommunicated), and threat actors rapidly weaponise PoCs or even changes in official releases. Organisations running FortiWeb must patch, inventory exposed devices, and hunt for unauthorised admin accounts or other persistence.
Why should I read this?
Short answer: because if you run FortiWeb (or manage network security), this could already be a live problem in your estate. Patch now, but don’t stop there — assume compromise, look for new admin accounts, and run the detection artefacts shared by security teams. If you don’t run FortiWeb, it’s still worth reading — the story is a reminder that fixes can leak clues and attackers move fast. We’ve saved you the digging: patches exist, PoCs exist, and active attacks are real.