7:52 AM
MISDUONG
@https://www.ithome.com.tw/news/172274
Follow: www.ithome.com.tw
Over the past weekend, Fortinet issued a security advisory for its FortiWeb Web Application Firewall (WAF), disclosing a critical vulnerability CVE-2025-64446. Several cybersecurity companies reported that this flaw had already been actively exploited more than a month ago.
On November 14, Fortinet announced that FortiWeb contains a vulnerability in its graphical user interface (GUI)—a path traversal flaw that allows an unauthenticated attacker to send specially crafted HTTP or HTTPS requests to the target system and execute administrative commands. The CVSS score published by Fortinet is 9.1 (while the U.S. National Vulnerability Database lists it as 9.8).
Fortinet stated that this vulnerability has been used in real-world attacks and advised IT personnel to urgently update their systems to the latest version. If updates cannot be applied immediately, Fortinet recommends temporarily disabling HTTP or HTTPS access to Internet-facing administrative interfaces.
On the same day, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added this vulnerability to its Known Exploited Vulnerabilities (KEV) catalog, requiring federal agencies to patch it within one week.
According to several cybersecurity media outlets, Fortinet learned about the flaw through reports from security firms that had detected exploitation activity more than a month prior. For example, Defused reported on October 6 that they detected abnormal exploit activity: attackers were using JSON Web Tokens (JWT) with valid payloads to create administrative accounts through an unknown vulnerability, suspected to be a variant of CVE-2022-40684. Notably, when Defused uploaded the payload to VirusTotal, all 95 antivirus engines deemed it harmless.
Subsequently, other cybersecurity companies joined the investigation and published their findings. For instance, PwnDefend, working with Defused, reported that attackers sent payloads via HTTP POST to specific endpoints to create user accounts; PwnDefend also published Indicators of Compromise (IoCs), including attacker IP addresses, account names, and passwords created by the attack.
Orange Cyberdefense confirmed that the vulnerability had been exploited widely and stated that Fortinet had fixed the issue in FortiWeb versions 8.0.2, 7.6.5, 7.4.10, and 7.2.12.
Additionally, Rapid7 discovered that on November 6 someone had attempted to sell a FortiWeb zero-day vulnerability on a hacker forum, though it could not be confirmed whether it was CVE-2025-64446.
According to watchTowr’s analysis, the flaw actually consists of two combined issues: a path traversal vulnerability in the URI and an authentication bypass via HTTP request headers. They believe Fortinet may have known about the vulnerability earlier, as their examination of FortiWeb 8.0.2 revealed patched code that was not mentioned in Fortinet’s release notes. watchTowr also released a Proof-of-Concept (PoC) video demonstrating that sending a valid payload allows successful login to FortiWeb.
Posted in: FortiGate
0 nhận xét:
Post a Comment