Federal authorities and researchers issued urgent alerts Friday regarding a critical vulnerability in Fortinet’s web application firewall, identified as CVE-2025-64446. The defect, which has been actively exploited, allows attackers to execute administrative commands, potentially leading to a complete takeover of compromised devices, according to the Cybersecurity and Infrastructure Security Agency (CISA). This widespread exploitation comes amidst criticism of Fortinet’s delayed communication regarding the FortiWeb flaw.
The critical vulnerability, with a CVSS rating of 9.8, was addressed by Fortinet in a software update released on October 28. However, the company did not assign a CVE or publicly disclose the vulnerability’s existence until last week, 17 days after the patch was deployed. By this time, threat researchers had already detected exploitation in the wild, alarming organizations that had not yet updated their FortiWeb systems to version 8.0.2.
Fortinet Vulnerability Exploited Amidst Delayed Disclosure
Threat researchers from multiple firms, alongside computer emergency response teams and CISA, began issuing warnings on Friday. These advisories detailed significant attacks linked to the Fortinet vulnerability. CISA’s alert added the flaw to its catalog of known exploited vulnerabilities, mandating federal agencies to patch the issue within seven days.
A Fortinet spokesperson stated that the company’s product security incident response team began addressing the vulnerability as soon as they were aware of it. “Fortinet diligently balances our commitment to the security of our customers and our culture of responsible transparency,” the spokesperson said in a statement. The company is communicating directly with affected customers to advise on necessary actions.
Researchers Raise Concerns Over Communication Delays
Researchers at Defused first identified the vulnerability and published a proof-of-concept exploit on October 6. Subsequently, watchTowr published technical analysis and released a tool to assist organizations in detecting vulnerable hosts. Ben Harris, founder and CEO at watchTowr, noted that attacks have been widespread since early October, “long before the industry was able to pull the fire alarm, and arguably exacerbated by the silence from Fortinet.”
While specific victims have not yet been identified, attackers are reportedly using the CVE-2025-64446 vulnerability to add new administrative accounts, gaining persistent privileged access. At present, no specific cybercrime group or motivation has been attributed to these attacks.
“Fortinet’s silent patching of the vulnerability — intentional or not — likely led many users not to apply the patch that actually fixed the vulnerability,” Harris added. He explained that FortiWeb customers were not informed of the imminent risk, which likely would have prompted immediate updates had they been aware. Consequently, any user who did not patch is now considered at high risk of compromise.
Defender Challenges in the Wake of Obscured Vulnerabilities
The handling of this Fortinet vulnerability has highlighted challenges for third-party researchers and defenders. Ryan Emmons, a security researcher at Rapid7, described the situation as functionally similar to a zero-day for defenders, as exploitation occurred before any formal awareness or guidance was available.
The release notes for FortiWeb 8.0.2 do not explicitly mention specific vulnerabilities, further complicating the efforts of the security community. “The challenge is that the security community builds its understanding through shared signals like public advisories, CVE assignments, behavioral descriptions, and clear remediation instructions,” Emmons stated. He emphasized that when these signals are delayed or fragmented, it hinders the collective ability to assess and respond to threats.
Emmons argued that attackers often possess a first-mover advantage, and defenders rely heavily on vendor transparency and industry coordination. “When a vendor has knowledge of product flaws and a patch is published, it’s imperative that defenders are given a heads-up notice with as much actionable information as possible. Obscurity hurts defenders more than it impedes attackers,” he said.
The belated CVE assignment for this critical Fortinet vulnerability compounded the issues for defenders. “In the dark, information is scarce and delays are inherent, as defenders burn cycles trying to figure out what’s even going on,” Emmons noted. This scenario significantly strengthens the attacker’s position.
Security teams are already overwhelmed with numerous vulnerability patches, and immediate remediation for every issue is often unfeasible due to operational risks, such as patches disrupting critical processes. Many organizations, adhering to standard change control procedures, likely delayed applying the patch. This situation, combined with Fortinet’s initial silence, left defenders at a significant disadvantage, potentially unaware of the full severity of the issue until active exploitation was widely observed.
Looking ahead, federal agencies must apply the patch within seven days as mandated by CISA. The full extent of compromises and the ultimate source of the attacks remain subjects of ongoing investigation. Organizations using FortiWeb are strongly advised to apply the latest software updates immediately, regardless of prior knowledge of the specific vulnerability.