Fortinet has fixed a zero-day which allowed people to use their product to traverse directories.
They have a CVE for this but no CVSS score.
The beginning of this article says:
Fortinet has confirmed that it has silently patched a critical zero-day vulnerability in its FortiWeb web application firewall, which is now “massively exploited in the wild.”
The flaw was silently patched after reports that unauthenticated attackers were exploiting an unknown FortiWeb path traversal flaw in early October to create new administrative users on Internet-exposed devices.
The attacks were first identified by threat intel firm Defused on October 6, which published a proof-of-concept exploit and reported that an “unknown Fortinet exploit (possibly a CVE-2022-40684 variant)” is being used to send HTTP POST requests to the /api/v2.0/cmdb/system/admin%3f/../../../../../cgi-bin/fwbcgi Fortinet endpoint to create local admin-level accounts.
What bothers me a little bit is the fact that they gave a CVE that dats 2022. Has it been a problem for 3 years, or is this a brand new attack that was found, but yet was given a 2022 CVE and they patched it at that time and this is a new patch for modern devices?
On Thursday, watchTowr Labs security researchers also demoed an exploit and released a tool called “FortiWeb Authentication Bypass Artifact Generator to help defenders identify vulnerable devices.
Cybersecurity firm Rapid7 added that the flaw affects FortiWeb versions 8.0.1 and earlier, as it confirmed that the publicly available proof-of-concept exploit no longer works after updating to version 8.0.2.
Today, Fortinet disclosed that attackers are actively exploiting a path confusion vulnerability (now tracked as CVE-2025-64446) in FortiWeb’s GUI component, which allows unauthenticated attackers to execute administrative commands on unpatched systems via crafted HTTP or HTTPS requests.
There’s plenty more including several 2025 CVE numbers here, as well as what to do if you can’t patch your 40 web products 7 and 8.
Fortinet confirms silent patch for FortiWeb zero-day exploited in attacks is our article for this one.
Discover more from The Technology blog and podcast
Subscribe to get the latest posts sent to your email.