CISA gives federal agencies one week to patch exploited Fortinet bug

The federal government confirmed on Friday that hackers are exploiting a vulnerability affecting Fortinet devices that has caused alarm among cybersecurity experts since early October. 

The Cybersecurity and Infrastructure Security Agency (CISA) gave all federal civilian agencies seven days to patch CVE-2025-64446 and released an advisory that said it is “aware of exploitation.” CISA typically gives agencies 21 days to patch most vulnerabilities added to its list of exploited bugs. 

CISA warned that if users cannot immediately upgrade affected systems, they should disable HTTP or HTTPS for internet-facing interfaces. 

Fortinet published an advisory on Friday as well, rating CVE-2025-64446 a “critical” vulnerability and giving it a severity score of 9.1 out of 10. 

The bug affects Fortinet FortiWeb, a web application firewall used widely across governments and large businesses to detect and block malicious traffic to web applications. Fortinet urged customers to upgrade to patched versions. 

The issue was first highlighted by cybersecurity firm Defused on October 6. Cybersecurity company watchTowr published a detailed breakdown of the vulnerability and noted that newer versions of the software are not vulnerable to the bug. The company said it is unclear if Fortinet accidentally patched the bug in newer versions of its software or quietly patched it without telling the public. 

Fortinet declined to answer questions about the timing of the patch, telling Recorded Future News that it activated its response and remediation efforts “as soon as they learned of this matter.”

“Fortinet diligently balances our commitment to the security of our customers and our culture of responsible transparency,” a spokesperson said. 

“With that goal and principle top of mind, we are communicating directly with affected customers to advise on any necessary recommended actions.”

Benjamin Harris, watchTowr CEO, said the company is seeing active, indiscriminate in-the-wild exploitation of the vulnerability. The company released a Detection Artefact Generator to enable defenders to identify vulnerable hosts.

“Patched in version 8.0.2, the vulnerability allows attackers to perform actions as a privileged user – with in-the-wild exploitation focusing on adding a new administrator account as a basic persistence mechanism for the attackers,” Harris told Recorded Future News. 

Experts at Rapid7 said they observed that an alleged zero-day exploit targeting FortiWeb was published for sale on a popular cybercriminal forum on November 6. Rapid7 explained that successful exploitation “allows an attacker with no existing level of access to gain administrator-level access to the FortiWeb Manager panel.”

Scott Caveza, senior staff research engineer at Tenable, noted that Fortinet devices are frequent targets for hackers and added that this is the 21st vulnerability affecting the company’s products that has been added to CISA’s Known Exploited Vulnerabilities list.

“Over the last 24 hours, we’ve seen multiple reports confirming the existence of a new and previously unidentified vulnerability, including several sources reporting that active exploitation has already occurred,” Caveza told Recorded Future News, noting that they have “already seen hundreds of devices, many in the U.S., publicly available on Shodan.” 

“While it’s unclear why Fortinet is only now releasing its advisory, it serves as a reminder that defenders must remain vigilant and regularly apply updates for critical devices regardless of a vulnerability’s exploitation status. You’re a sitting duck if you don't address these issues in a timely manner.”