A newly discovered Fortinet FortiWeb vulnerability is forcing organizations to move fast. The flaw, now confirmed to be under active exploitation, gives attackers a direct path to create admin accounts and take full control of FortiWeb appliances. The issue has been unfolding quietly for weeks. Yet as attackers ramped up their activity, the situation has now become an immediate priority for security teams worldwide.
The vulnerability, tracked as CVE-2025-64446, carries a 9.1 CVSS score, a clear sign of how dangerous it is. At its core, the flaw combines a path traversal issue with an authentication bypass, allowing remote, unauthenticated access to sensitive administrative functions. With a few crafted HTTP or HTTPS requests, attackers can jump straight into the system and execute admin-level commands.
For organizations that rely on FortiWeb for critical web application firewall protection, the stakes could not be higher. When attackers can create new administrator accounts, they gain the ability to modify configurations, extract sensitive data, and pivot deeper into the network. And the exploitation has already been happening for weeks.
Fortinet confirmed that the Fortinet FortiWeb vulnerability is being actively exploited in the wild, though the company offered few public details about what attackers have done so far. What’s clearer is the timeline: security firms and independent researchers began spotting suspicious activity long before the official advisory was published.
Multiple firms, including WatchTowr, Rapid7, PwnDefend, and Defused, shared evidence showing coordinated exploitation across a wide range of targets. WatchTowr reported that attacks appeared indiscriminate, hitting FortiWeb appliances around the world without targeting any specific industries. This broad pattern suggests automated exploitation attempts, likely from threat actors racing to compromise as many devices as possible before patches were widely applied.
Defused, one of the earliest groups to observe the attacks, analyzed an exploit seen on October 6, over a month before Fortinet’s official warning. They later published proof-of-concept code based on this finding, making the vulnerability easier for others to test or misuse.
Meanwhile, Rapid7 noted that on November 6, a threat actor began advertising what appeared to be a zero-day exploit for FortiWeb on a dark web forum. While Rapid7 could not confirm whether the listing was related to CVE-2025-64446, the timing aligned with the spike in real-world exploitation.
All evidence points to the same conclusion: the window between discovery and widespread attacks was extremely short, and many organizations were likely hit before fixes became available.
