Fortinet’s delayed alert on actively exploited defect put defenders at a disadvantage
Federal authorities and researchers alerted organizations Friday to a massively exploited vulnerability in Fortinet’s web application firewall.
While the actively exploited critical defect poses significant risk to Fortinet’s customers, researchers are particularly agitated about the vendor’s delayed communications and, ultimately, post-exploitation warnings about the vulnerability.
Fortinet addressed CVE-2025-64446 in a software update pushed Oct. 28, but did not assign the flaw a CVE or publicly disclose its existence until last week — 17 days later — when the company also confirmed the vulnerability has been exploited in the wild.
By then, for some Fortinet customers, especially those that hadn’t updated to FortiWeb 8.0.2, it was too late. The path-traversal defect in FortiWeb, which has a CVSS rating of 9.8, allows attackers to execute administrative commands resulting in a complete takeover of the compromised device.
Threat researchers from multiple firms, computer emergency response teams and the Cybersecurity and Infrastructure Security Agency issued warnings, with some including details about extensive attacks linked to the defect Friday. CISA also issued an alert and added the flaw to its known exploited vulnerability catalog Friday, requiring federal agencies to address the vulnerability within a short deadline of seven days.
A Fortinet spokesperson said the vendor’s product security incident response team began addressing the vulnerability as soon as it learned of the defect, and those efforts remain underway. “Fortinet diligently balances our commitment to the security of our customers and our culture of responsible transparency,” the spokesperson said in a statement.
“With that goal and principle top of mind, we are communicating directly with affected customers to advise on any necessary recommended actions,” the spokesperson added.
Threat researchers at Defused first spotted the vulnerability and published a proof-of-concept exploit they detected Oct. 6. Researchers at watchTowr published technical analysis of the exploit and released a tool to help organizations hunt for potentially vulnerable hosts in their environments.
“Attacks have been widespread and indiscriminate according to shared evidence since at least early October — long before the industry was able to pull the fire alarm, and arguably exacerbated by the silence from Fortinet,” Ben Harris, founder and CEO at watchTowr, told CyberScoop.
Researchers haven’t identified or named victims yet, but attackers are exploiting the vulnerability to add new administrative accounts, likely achieving persistent privileged access on compromised devices. Threat hunters have not attributed the attacks to any cybercrime outfit, place of origin or motivation.
“Fortinet’s silent patching of the vulnerability — intentional or not — likely led many users not to apply the patch that actually fixed the vulnerability,” Harris said. “FortiWeb customers weren’t told about the critical, immediate risk of not applying these patches. Had they known, they would have likely updated right away. Now, anyone who didn’t patch is likely compromised.”
Information vacuum left researchers scrambling
The vulnerability falls under a gray area of definition — a less-important detail but one that underscores the difficulties third-party researchers confronted in mounting a proper and informed response.
“Unless Fortinet is now fixing vulnerabilities by accident, by definition, it isn’t a zero-day, it’s a silently patched vulnerability and thus an n-day,” Harris said.
Yet, from a defender’s perspective this vulnerability functionally behaved as a zero-day, said Ryan Emmons, security researcher at Rapid7. “It was being exploited before customers had any formal awareness, guidance or patch information.”
Fortinet’s release notes for FortiWeb 8.0.2 don’t include any reference to specific vulnerabilities.
“The challenge is that the security community builds its understanding through shared signals like public advisories, CVE assignments, behavioral descriptions, and clear remediation instructions. When those signals arrive late or in fragments, it slows the ability of researchers, vendors, and defenders to triangulate what’s actually happening,” Emmons said.
“Attackers often have first-mover advantage, and defenders rely heavily on vendor transparency and cooperative industry coordination,” Emmons added. “When a vendor has knowledge of product flaws and a patch is published, it’s imperative that defenders are given a heads-up notice with as much actionable information as possible. Obscurity hurts defenders more than it impedes attackers.”
Researchers resoundingly criticized Fortinet for delaying its public disclosure of the vulnerability and a lack of urgency until active exploitation was already underway.
Fortinet’s belated CVE assignment compounded problems for defenders. “In the dark, information is scarce and delays are inherent, as defenders burn cycles trying to figure out what’s even going on,” Emmons said. “This gives attackers a much stronger position.”
Security teams are already inundated with vulnerability patches. It’s not only unfeasible for them to address every defect and software update immediately, there’s also an operational impact risk to measure. Patches can break critical processes and integrations.
“Many organizations, following standard change-control processes, understandably delayed patching. Meanwhile, it’s possible that Fortinet itself was unaware of the full severity of the issue and silently patched a flaw without realizing the risk it posed,” Harris said. “This combination left defenders at a disadvantage from the start.”
