CISA has added a critical Fortinet FortiWeb (WAF) vulnerability, CVE-2025-64446, to its Known Exploited Vulnerabilities (KEV) catalog, mandating a patch by November 21, 2025. The flaw is a path traversal vulnerability (CVSS 9.1) that allows unauthenticated, remote attackers to execute arbitrary administrative commands, including creating rogue admin accounts.
Business Impact
This is a “perimeter-down” emergency. The WAF is your first line of defense; if attackers control it, they can bypass all security, steal data, deface websites, and pivot into your internal network. Reports confirm attackers are already exploiting this to create new admin accounts for persistent access.
Why It Happened
The vulnerability allows attackers to send crafted HTTP requests to bypass security checks and perform administrative actions. The flaw was reportedly “silently patched” by Fortinet in late October, but without a public CVE, many organizations were left unaware and vulnerable.
Recommended Executive Action
This is an immediate, critical patching priority. Direct your network security team to apply the patches (v7.4.8 or 7.6.6) now. More importantly, they *must* audit all FortiWeb devices for any unauthorized administrator accounts created in the last 30 days, as you may already be compromised.
Hashtags: #Fortinet #FortiWeb #ZeroDay #Vulnerability #RCE #CISA #KEV #PatchNow #InfoSec