Only days after Fortinet was criticized by researchers for ‘silently’ patching a zero-day vulnerability without informing its customers, it has emerged that it did the same for a second zero-day that is being used as part of the same attack chain.
This is a story of two zero-day vulnerabilities in the FortiWeb web application firewall made public four days apart: CVE-2025-64446 (FG-IR-25-910), made public on November 14, and a second, CVE-2025-58034 (FG-IR-25-513), made public on November 18.
The most serious is the first, CVE-2025-64446, rated ‘critical’ with a CVSS score of 9.4, comprising two slightly different GUI flaws, the first a path traversal vulnerability, the second an authentication bypass weakness.
Because Fortinet said it had “observed this to be exploited in the wild,” this immediately put it into a category of flaw security teams were going to prioritize.
Except, according to watchTowr Labs, the vulnerability was patched on October 28 with the release of FortiWeb WAF version 8.0.2, more than two weeks before it was disclosed as a zero-day.
“Did Fortinet stumble, silently, into patching a vulnerability? Only Fortinet knows, really,” observed watchTowr Labs.
Insecurity through obscurity
With criticism of this ‘silent’ patching approach growing, on November 18 Fortinet posted an advisory warning of a second zero-day vulnerability being exploited in the wild, also addressed by the version 8.0.2 update on October 28.
Identified as CVE-2025-58034, this is an OS command injection vulnerability with a ‘medium’ severity and CVSS score of 6.7 that “may allow an authenticated attacker to execute unauthorized code on the underlying system via crafted HTTP requests or CLI commands,” said Fortinet.
It was also being exploited in the wild, Fortinet said, making it a second zero-day vulnerability for security teams to cope with within a few days.
Why did Fortinet wait to disclose the existence of vulnerabilities already under exploitation? It’s possible Fortinet was aware of the flaws, hence the patch addressing them, but not that they were being exploited. That seems incredibly unlikely given that reports from several sources mention exploit detections going back to early October.
A second and more controversial possibility is that the company was aware but decided not to disclose them to avoid alerting other criminals to their existence until more customers had applied the version 8.0.2 update.
Either way, what is more difficult to explain is why Fortinet chose to disclose the zero days four days apart. This is pertinent because it has since emerged that the vulnerabilities are, at least in some attacks, being used as part of the same chain of compromise.
In a post on X, Orange Cyberdefence noted that “Several exploitation campaigns targeting the Fortinet FortiWeb CVE-2025-58034 (root LPE) chained with CVE-2025-64446 are currently underway.”
While this is not confirmation that this is happening in all cases, it’s clear that customers would want to understand their exposure to both at the same time. CSO reached out to Fortinet for a response to these issues but had not heard back at press time.
Fortinet’s handling of the issue has come in for heavy criticism. “Teams can’t prioritize updates when they don’t know about these vulnerabilities. Many depend on the advisories to fix issues, so a silent patch like this can give a false sense of security,” Amy Mortlock, marketing vice president at OSINT company ShadowDragon told CSO Online. “This is an example of why transparency is as important as the patch itself,” she said.
“If the patch had mentioned the zero-day vulnerability, organizations may have understood it to be urgent rather than routine and scheduled for the next maintenance window,” agreed Amruth Laxman, founding partner of cloud VoIP provider 4Voice. He believed that transparency about serious flaws was essential for customers to make informed decisions.
Patching advice
Affected versions of FortiWeb include 7.0.0 through 7.0.11, 7.2.0 through 7.2.11, 7.4.0 through 7.4.9, 7.6.0 through 7.6.4, and 8.0.0 through 8.0.1. Fixes are applied, in the same order, by releases 7.0.12, 7.2.12, 7.4.10, 7.6.5, and 8.0.2.
Meanwhile, the widespread use of FortiWeb WAFS in government has prompted a warning by CISA that agencies should patch CVE-2025-58034 within one week, an unusually short timeframe for updating.
“This type of vulnerability is a frequent attack vector for malicious cyber actors and poses significant risks to the federal enterprise,” CISA said.
As a leading networking vendor, Fortinet is a frequent target for vulnerability exploits, including zero-days such as the ‘critical’ rated bypass vulnerability affecting FortiProxy secure web gateways in early 2025.
No Responses