FortiWeb CVE‑2025‑64446: What We’re Seeing in the Wild

GreyNoise reports active exploitation of CVE-2025-64446, a critical path-traversal vulnerability affecting Fortinet FortiWeb appliances. This flaw allows unauthenticated attackers to execute administrative commands remotely, posing a severe risk to network security perimeter devices. The exploitation status indicates immediate threat activity in the wild, requiring urgent attention from organizations utilizing affected FortiWeb versions. While no specific threat actors or malware families are currently attributed to these attacks, the capability for unauthenticated command execution suggests potential for full system compromise, data exfiltration, or lateral movement. Administrators should prioritize patching FortiWeb appliances immediately to mitigate this risk. Continuous monitoring for suspicious administrative activity is also recommended. The severity is classified as critical due to the lack of authentication requirements and the high value of web application firewall infrastructure in protecting backend services. Immediate remediation is essential to prevent unauthorized access.

GreyNoise has begun seeing active exploitation of CVE‑2025‑64446, the critical path‑traversal flaw that lets an unauthenticated actor run administrative commands on Fortinet FortiWeb appliances.

GreyNoise reports active exploitation of CVE-2025-64446, a critical path-traversal vulnerability affecting Fortinet FortiWeb appliances. This flaw allows unauthenticated attackers to execute administrative commands remotely, posing a severe risk to network security perimeter devices. The exploitation status indicates immediate threat activity in the wild, requiring urgent attention from organizations utilizing affected FortiWeb versions. While no specific threat actors or malware families are currently attributed to these attacks, the capability for unauthenticated command execution suggests potential for full system compromise, data exfiltration, or lateral movement. Administrators should prioritize patching FortiWeb appliances immediately to mitigate this risk. Continuous monitoring for suspicious administrative activity is also recommended. The severity is classified as critical due to the lack of authentication requirements and the high value of web application firewall infrastructure in protecting backend services. Immediate remediation is essential to prevent unauthorized access. GreyNoise has begun seeing active exploitation of CVE‑2025‑64446, the critical path‑traversal flaw that lets an unauthenticated actor run administrative commands on Fortinet FortiWeb appliances. GreyNoise has begun seeing active exploitation of CVE‑2025‑64446, the critical path‑traversal flaw that lets an unauthenticated actor run administrative commands on Fortinet FortiWeb appliances.