Fortinet finally published a security advisory on Friday for a critical FortiWeb path traversal vulnerability under active exploitation – but it appears digital intruders got a month's head start.

The bug, now tracked as CVE-2025-64446 , allows unauthenticated attackers to execute administrative commands on Fortinet's web application firewall product and fully take over vulnerable devices. It's fully patched in FortiWeb version 8.0.2, but it didn't even have a CVE assigned to it until Friday, when the vendor admitted to having "observed this to be exploited in the wild."

Also on Friday, the US Cybersecurity and Infrastructure Agency (CISA) added CVE-2025-64446 to its Known Exploited Vulnerabilities Catalog.

A Fortinet spokesperson declined to answer The Register 's questions about explo

See Full Page