The CrowdSec Network has detected active exploitation of CVE-2025-64446, a path-traversal vulnerability in Fortinet FortiWeb. CVE-2025-64446 allows attackers to invoke system endpoints and bypass authentication for FortiWeb. The vulnerability has been given a high severity rating and has been circulating as a 0-day exploit since October 2025. The vulnerability affects FortiWeb versions before 8.0.1. CrowdSec Intelligence has detected around 60 distinct IPs probing for this vulnerability.
CrowdSec’s key findings on CVE-2025-64446
- The vulnerability was disclosed on November 14, 2025, by WatchTowr Labs and added to CISA KEV the same day.
- CrowdSec coverage and telemetry indicate exploitation attempts starting on November 12, 2025, at least two days before the public disclosure. CrowdSec released a virtual patching rule for the CrowdSec WAF on November 17.
- Fortinet silently patched the vulnerability with FortiWeb 8.0.2
What is Fortinet FortiWeb?
Fortinet FortiWeb is a web application firewall (WAF) that protects public-facing web applications and APIs against common cyberattacks. It sits in front of applications as a reverse proxy or inline appliance. If attackers can bypass authentication or impersonate users on the FortiWeb management plane or protected flows, they can potentially alter security policies, disable protections, or impersonate downstream users. This raises the risk of data exposure, account takeover, and service disruption.
How does CVE-2025-64446 work?
WatchTowr Labs details how CVE-2025-64446 can be abused to impersonate users, effectively bypassing normal authentication checks in certain workflows. The exploit works in two steps. First, the path traversal vulnerability is used to access a system binary in the FortiWeb application. The request body is then passed to this binary, allowing attackers to manipulate or create authenticated users. In practice, this can allow an attacker to assume another user’s identity, leading to unauthorized access and policy manipulation.
The exploit was added to the CISA Known Exploited Vulnerabilities (KEV) catalogue on the day of its release, as descriptions of the exploit have been floating around since early October.
The exploit has been silently patched by Fortinet with release 8.0.2.
Trend analysis
CrowdSec has observed significant activity targeting the vulnerability. The attacks seem to involve a broad reconnaissance campaign indiscriminately looking for vulnerable endpoints on one hand and a group of directly targeted attacks using fresh machines on the other hand. Overall, the CrowdSec Network has observed around 500 attack events originating from 60 distinct sources.
After the public disclosure of the exploit, attack volume has increased. This is likely due to the simplicity with which the exploit can be executed. As FortiWeb acts as a first, and sometimes only, line of defense against attacks, it is a particularly attractive target. We therefore expect attack volumes to increase further and remain high. Immediate remediation is recommended.
How to protect your systems
- Patch: Update your FortiWeb instances to 8.0.2 as soon as possible. Older major versions, such as 7.6.x and 7.4.x have received backported patches.
- Stay Proactive: Deploy CrowdSec’s behavioral WAF to detect and stop CVE-2025-64446. A virtual-patching rule for this CVE was released on the 17th of November.
You can learn more about this vulnerability and the information we have gathered by checking out our CVE Explorer page.Â