Fortinet has confirmed that it has silently patched a critical zero-day vulnerability in its FortiWeb web application firewall, which is now “massively exploited in the wild.”

The flaw was silently patched after reports that unauthenticated attackers were exploiting an unknown FortiWeb path traversal flaw in early October to create new administrative users on Internet-exposed devices.

The attacks were first identified by threat intel firm Defused on October 6, which published a proof-of-concept exploit and reported that an “unknown Fortinet exploit (possibly a CVE-2022-40684 variant)” is being used to send HTTP POST requests to the /api/v2.0/cmdb/system/admin%3f/../../../../../cgi-bin/fwbcgi Fortinet endpoint to create local admin-level accounts.

On Thursday, watchTowr Labs security researchers also demoed an exploit and released a tool called “FortiWeb Authentication Bypass Artifact Generator to help defenders identify vulnerable devices.

Cybersecurity firm Rapid7 added that the flaw affects FortiWeb versions 8.0.1 and earlier, as it confirmed that the publicly available proof-of-concept exploit no longer works after updating to version 8.0.2.

Today, Fortinet disclosed that attackers are actively exploiting a path confusion vulnerability (now tracked as CVE-2025-64446) in FortiWeb’s GUI component, which allows unauthenticated attackers to execute administrative commands on unpatched systems via crafted HTTP or HTTPS requests.

“Fortinet has observed this to be exploited in the wild,” the company noted in a Friday security advisory, which confirms that the zero-day has been patched in FortiWeb 8.0.2, released on October 28, three weeks after the first report of CVE-2025-64446 active exploitation.

Federal agencies ordered to patch within a week

CISA also added the CVE-2025-64446 path traversal flaw to its catalog of actively exploited vulnerabilities on Friday, ordering U.S. federal agencies to patch their systems by November 21.

“This type of vulnerability is a frequent attack vector for malicious cyber actors and poses significant risks to the federal enterprise,” the cybersecurity agency warned.

Admins who can’t immediately upgrade to FortiWeb 8.0.2 should disable HTTP or HTTPS for all internet-facing management interfaces and ensure that access is restricted to trusted networks.

Fortinet also advised customers to check their configuration and review logs for new unauthorized administrator accounts and other unexpected modifications.

BleepingComputer contacted Fortinet with questions about these ongoing attacks, but we have yet to receive a response.

In August, Fortinet patched a critical command injection flaw (CVE-2025-25256) with publicly available exploit code in its FortiSIEM security monitoring solution, one day after cybersecurity company GreyNoise warned of a massive spike in brute-force attacks targeting Fortinet SSL VPNs.