Active Exploitation Alert: Analysts at watchTowr Warn on FortiWeb

Analysts at watchTowr warn of active FortiWeb attacks. Patch your systems now to prevent attackers from exploiting CVE-2025-64446 and gaining admin access

Analysts at cyber security firm watchTowr sounded the alarm late last week, warning that they had observed active exploitation of an authentication bypass vulnerability in Fortinet’s FortiWeb products. This vulnerability, now tracked as CVE-2025-64446, allows attackers to gain privileged access and perform critical actions, including adding unauthorized administrator accounts.

“Oh, look at that, it’s a Thursday! And in continuing with Thursday’s, the watchTowr team is seeing active, indiscriminate in-the-wild exploitation of what appears to be a silently patched vulnerability in Fortinet’s FortiWeb product,” said watchTowr CEO Benjamin Harris on November 14. He noted that while Fortinet patched the vulnerability in version 8.0.2, any devices left unpatched were at risk of compromise.

According to watchTowr, the exploit is being used primarily for persistence. Attackers can quietly establish new administrator accounts, giving them long-term access to FortiWeb appliances. “This is a serious risk for organizations using FortiWeb products that have not applied the latest security updates,” Harris added. Analysts at watchTowr emphasized the urgency, urging network administrators to verify patches immediately.

Further confirming the threat, Rapid7 reported that exploitation has been occurring since October, with activity possibly spiking after November 6. “On November 6, 2025, Rapid7 Labs observed that an alleged zero-day exploit targeting FortiWeb was published for sale on a popular black hat forum,” the company said in a blog post. While it is unclear if this is the same exploit observed by watchTowr, the timing is alarming.

Over the weekend, Fortinet officially acknowledged the vulnerability and confirmed its active exploitation. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) quickly added CVE-2025-64446 to its Known Exploited Vulnerabilities Catalog and issued an advisory urging organizations to patch FortiWeb systems without delay. The acknowledgment underscores the serious nature of the risk and the widespread potential impact.

Experts at watchTowr stressed that organizations should not delay applying Fortinet’s recommended updates. “Exploitation is active, and unpatched systems are highly likely to be compromised,” Harris warned. Analysts at watchTowr also noted that monitoring network traffic for suspicious administrative activity can help detect early signs of exploitation, but patching remains the most effective defense.

Security researchers continue to investigate the scope and origin of the attacks. Meanwhile, organizations running Fortinet FortiWeb appliances are strongly advised to prioritize patch deployment, review administrative accounts, and implement enhanced monitoring. Analysts at watchTowr concluded that the current situation is a reminder of the critical importance of timely patch management in preventing security breaches.

With threat actors targeting FortiWeb systems actively, organizations ignoring updates face serious risks. Analysts at watchTowr recommend immediate action to secure vulnerable appliances and reduce the chance of unauthorized access, noting that the ongoing attacks could have long-term consequences for affected networks.