Fortinet's silent patch leaves customers vulnerable to attacks

Fortinet patched a vulnerability in its FortiWeb firewall on October 28 but waited 17 days to publicly disclose it, during which time attackers had already begun exploitation of the flaw affecting customers who hadn't updated.

What happened

Fortinet addressed CVE-2025-64446, a path-traversal vulnerability in FortiWeb with a CVSS rating of 9.8, in a software update released on October 28. However, the company did not assign a CVE identifier or publicly disclose the flaw's existence until November 14th, 17 days later. At that point, Fortinet confirmed the vulnerability was being actively exploited in the wild. The defect allows attackers to execute administrative commands, resulting in the complete takeover of compromised devices. Federal authorities and CISA issued warnings on Friday, with CISA adding the flaw to its known exploited vulnerability catalog and requiring federal agencies to patch within seven days. Attackers have been exploiting the vulnerability to add new administrative accounts, likely achieving persistent privileged access on compromised devices.

Going deeper

Fortinet's release notes for FortiWeb 8.0.2 included no reference to specific vulnerabilities, leaving security teams unaware of the risk. Attacks have been widespread and indiscriminate according to shared evidence since at least early October, long before the industry could respond. Threat hunters have not yet attributed the attacks to any specific cybercrime outfit, place of origin, or motivation. Researchers haven't identified or named specific victims yet, but the exploitation has been extensive enough to draw warnings from multiple threat intelligence firms and computer emergency response teams.

What was said

A Fortinet spokesperson stated that the vendor's product security incident response team began addressing the vulnerability as soon as they learned of the defect. "Fortinet diligently balances our commitment to the security of our customers and our culture of responsible transparency," the spokesperson said, "With that goal and principle top of mind, we are communicating directly with affected customers to advise on any necessary recommended actions."

In the know

A path-traversal vulnerability is a security flaw that allows attackers to access files and directories stored outside the web root folder by manipulating file path references. In this case, the vulnerability in FortiWeb, Fortinet's web application firewall, enabled attackers to bypass security controls and execute administrative commands. With a CVSS rating of 9.8 out of 10, this is considered a critical severity vulnerability that poses an immediate risk to affected systems. The defect allows for complete device takeover, giving attackers full administrative control over the compromised firewall.

Why it matters

This incident shows a gap in vendor disclosure practices that puts defenders at a disadvantage. By silently patching the vulnerability without public notification, Fortinet left customers unaware they were running critically vulnerable systems even after a fix was available. Many organizations follow standard change-control processes and delay patching to assess operational risks, as patches can potentially break critical processes and integrations. Without knowing the severity of the threat, security teams had no reason to prioritize this update. Meanwhile, attackers exploited this information for weeks, compromising organizations that would have immediately patched had they known the risk. 

The bottom line

This case demonstrates that the timing and transparency of vulnerability disclosures can be as critical as the patches themselves. Organizations using FortiWeb should immediately verify they've updated to version 8.0.2 or later, hunt for signs of compromise, including unauthorized administrative accounts, and implement stronger monitoring on these devices going forward.

Related: HIPAA Compliant Email: The Definitive Guide

FAQs

Why do some vendors delay public disclosure of vulnerabilities even after releasing patches?

Vendors may delay disclosure to prevent tipping off attackers before customers patch, though this strategy can backfire.

Could coordinated vulnerability disclosure policies prevent situations like this?

Yes, established CVD frameworks help set expectations for timely and transparent reporting.

Do silent patches increase legal liability for vendors during active exploitation?

In some cases they can, depending on regulatory expectations and contractual obligations.

How can organizations detect silent patches in vendor updates?

Security teams often rely on reverse engineering updates or monitoring threat intel feeds for hints of hidden fixes.

How can enterprises prioritize patches when no severity rating is disclosed?

They must rely on internal risk scoring, vendor history, and automated update analysis tools.