Unauthenticated Authentication Bypass in Fortinet FortiWeb (CVE-2025-64446) Exploited in the Wild

By Ash K
Unauthenticated Authentication Bypass in Fortinet FortiWeb (CVE-2025-64446) Exploited in the Wild

A critical flaw in Fortinet’s FortiWeb Web Application Firewall, tracked as CVE-2025-64446, is now being actively exploited in the wild. The vulnerability enables unauthenticated attackers to bypass login protections and gain direct access to administrative interfaces. Security researchers and enterprise defenders have begun observing real exploitation attempts across multiple regions, confirming that threat actors are weaponizing this flaw at speed.

Understanding the vulnerability

CVE-2025-64446 stems from improper session validation within the authentication flow of FortiWeb management portals. Under specific conditions, a crafted sequence of HTTP requests can trick the system into issuing a valid session token to an unauthenticated attacker. This allows direct access to administrative pages without providing any credentials.

Once authenticated at the administrator level, attackers can modify configurations, disable protections, create backdoor accounts or deploy malicious rules to intercept, tamper with or redirect traffic flowing through the web application firewall. The issue affects several current FortiWeb versions, making the exposure especially concerning for organizations operating internet-facing appliances.

Active exploitation now confirmed

Over the last forty eight hours, security teams have detected exploitation attempts originating from known botnet infrastructure, anonymization nodes and compromised servers. Attackers are scanning for exposed FortiWeb devices and immediately triggering the bypass exploit when a vulnerable version is detected.

Early reporting indicates that both financially motivated cybercriminals and more advanced threat groups are testing the flaw. Common post exploitation actions include creating new administrative accounts, replacing configuration files and disabling specific WAF rules to create quiet persistence on the device.

Several enterprises have already reported unauthorized configuration changes on their appliances, suggesting that some attacks were successful before detection and remediation efforts began. Fortinet has acknowledged the issue and is urging all customers to apply patches without delay.

What attackers can achieve after bypassing authentication

When successful, the exploit grants attackers full access to FortiWeb’s management interface. This level of control allows them to:

  • Modify or disable security rules that protect critical applications.
  • Inject malicious rewrite policies to intercept credentials or session tokens.
  • Install backdoor administrators for persistent long term access.
  • Pivot into internal networks by leveraging trusted positions of the WAF.
  • Harvest configuration data that maps internal application infrastructure.

Because FortiWeb sits in front of highly sensitive business applications, a compromised device can provide attackers with powerful opportunities to intercept and manipulate web traffic or to stage secondary intrusions deeper into a target environment.

Fortinet’s response and patch availability

Fortinet has released security updates that fully address CVE-2025-64446. The company is strongly advising customers to upgrade affected versions and verify that their devices are not already compromised. Updated intrusion prevention signatures and threat intelligence indicators are being distributed across Fortinet’s security ecosystem to aid defenders in detecting abuse.

In addition to patching, Fortinet recommends reviewing administrative access logs, validating the integrity of configuration files and ensuring that no unauthorized accounts or persistence mechanisms have been added.

What security teams should do now

Given the rapid exploitation of this flaw, security teams should act immediately. Priority steps include:

  • Applying the latest FortiWeb patches and firmware updates.
  • Reviewing appliance logs for suspicious authentication events or configuration changes.
  • Restricting management interface access to internal networks or VPN channels.
  • Validating rule integrity and comparing configurations against known good baselines.
  • Deploying additional network monitoring to detect post exploitation activity.

CVE-2025-64446 is a prime example of how quickly attackers weaponize newly disclosed vulnerabilities. Organizations that rely on FortiWeb appliances for critical application protection should treat this incident as a high priority. Timely patching, rigorous log analysis and tightened access controls will be essential to prevent unauthorized access and safeguard business applications from further compromise.

Ash K
Ash K
Ashton is a seasoned Cybersecurity Professional with over 25 years of experience in Cybersecurity Research, Cybersecurity Incident response, Products and Security Solutions architecture.