Multiple Critical Vulnerabilities in Fortinet Security Products
Fortinet has disclosed several high-severity vulnerabilities affecting its security product lines, including FortiWeb, FortiVoice, and FortiSandbox. Notable issues include a cookie forgery vulnerability in FortiWeb (CVE-2025-64447) that allows unauthenticated attackers to execute arbitrary operations via forged cookies, provided they know the device's serial number, and an improper verification of cryptographic signatures in FortiWeb (CVE-2025-59719) that enables unauthenticated attackers to bypass FortiCloud SSO login authentication using crafted SAML responses. Additionally, FortiVoice is impacted by a path traversal vulnerability (CVE-2025-60024) permitting privileged authenticated attackers to write arbitrary files, and FortiSandbox suffers from an OS command injection flaw (CVE-2025-53949) that allows authenticated attackers to execute unauthorized code on the underlying system through crafted HTTP requests.
All vulnerabilities are remotely exploitable and have been assigned high or critical CVSS scores, with the FortiWeb authentication bypass rated as critical (CVSS 9.8/10). Fortinet has released security advisories and patches for the affected versions, urging customers to update their systems promptly to mitigate the risk of exploitation. Security researchers and vendors have highlighted the urgency of these patches due to the potential for unauthenticated remote attacks and the critical role these products play in enterprise security architectures.
Timeline
Dec 9, 2025
Fortinet PSIRT discloses FortiWeb cookie forgery vulnerability
Fortinet PSIRT disclosed CVE-2025-64447, a high-severity FortiWeb vulnerability caused by improper reliance on cookies without validation or integrity checking. The flaw affects several FortiWeb branches and allows unauthenticated attackers who know the device serial number to perform arbitrary operations via crafted HTTP or HTTPS requests with forged cookies.
Dec 9, 2025
Fortinet publicly discloses FortiSandbox OS command injection flaw
Fortinet disclosed CVE-2025-53949, a high-severity OS command injection vulnerability in FortiSandbox affecting versions 5.0.0 through 5.0.2, 4.4.0 through 4.4.7, and all 4.2.x and 4.0.x releases. The issue allows an authenticated attacker to execute unauthorized code through crafted HTTP requests, and Fortinet recommended upgrading to patched versions.
Dec 9, 2025
Fortinet PSIRT publishes FortiVoice path traversal advisory
Fortinet PSIRT published advisory FG-IR-25-812 for CVE-2025-60024, a high-severity path traversal flaw in FortiVoice. The vulnerability affects FortiVoice 7.2.0 through 7.2.2 and 7.0.0 through 7.0.7 and may let a privileged authenticated attacker write arbitrary files via crafted HTTP or HTTPS commands.
Dec 9, 2025
Fortinet discloses FortiWeb SAML authentication bypass vulnerability
Fortinet disclosed a critical FortiWeb vulnerability, tracked as CVE-2025-59719, caused by improper verification of cryptographic signatures. The flaw affects multiple FortiWeb versions and allows unauthenticated attackers to bypass FortiCloud SSO login authentication using a crafted SAML response; patches were released.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Related Entities
Vulnerabilities
Affected Products
Sources
Related Stories
Multiple Critical Vulnerabilities Disclosed in Fortinet FortiSandbox and FortiWeb Products
Fortinet has addressed several critical vulnerabilities affecting its FortiSandbox and FortiWeb products, with public advisories and technical details released on December 16, 2025. The most severe issues impact FortiSandbox, where multiple command injection vulnerabilities (CVE-2025-53949) allow authenticated attackers to execute arbitrary code as root via the `admindel_confirm`, `name`, and `upload_vdi_file` parameters. Additionally, a cross-site scripting vulnerability (CVE-2025-54353) in the `hcproxy` component could enable remote code execution with minimal user interaction. Fortinet has released patches for these flaws, and users are strongly advised to update affected systems immediately. For FortiWeb, a critical authentication bypass vulnerability (CVE-2025-64447) was disclosed, stemming from improper verification of cryptographic signatures in the `ApacheCookie_parse` method, allowing unauthenticated attackers to gain access. These disclosures follow recent reports of active exploitation of a separate FortiWeb vulnerability (CVE-2025-64446), which enables unauthenticated attackers to create rogue administrator accounts and fully compromise exposed devices. Organizations using FortiWeb and FortiSandbox should review the official advisories and apply the recommended mitigations to prevent exploitation.
1 months ago
Multiple Vulnerabilities in Fortinet Products Enable Arbitrary Code Execution and Information Disclosure
Several Fortinet products, including FortiWeb, FortiClient, FortiExtender, FortiMail, FortiPAM, FortiSandbox, FortiADC, FortiVoice, FortiOS, and FortiProxy, have been found to contain multiple vulnerabilities, some of which could allow for arbitrary code execution. The most severe of these vulnerabilities, such as the FortiWeb RCE flaw (CVE-2025-58034), is under active exploitation and has been added to CISA's Known Exploited Vulnerabilities (KEV) catalog. Additionally, a vulnerability in FortiClient for Windows involving active debug code could allow a local attacker to retrieve saved VPN user passwords, posing a significant risk of information disclosure. Security advisories urge organizations using affected Fortinet products to review available patches and mitigations immediately. The vulnerabilities impact a wide range of Fortinet's security and networking solutions, increasing the urgency for prompt remediation to prevent potential exploitation and compromise of sensitive assets.
1 months ago
Fortinet FortiWeb Zero-Day Vulnerabilities Exploited in the Wild
Fortinet has disclosed two significant vulnerabilities in its FortiWeb product, CVE-2025-58034 and CVE-2025-64446, both of which have been actively exploited in the wild. The first, CVE-2025-58034, is a medium-severity OS command injection flaw that allows authenticated attackers to execute unauthorized code via crafted HTTP requests or CLI commands. The second, CVE-2025-64446, is a critical vulnerability that can be chained with the first to facilitate authentication bypass and further command injection. Fortinet has released patches in version 8.0.2 to address these issues, but the company has faced criticism for its handling and staggered disclosure of the flaws, with some suggesting the delay was to allow customers time to patch before publicizing the risks. Security researchers, including Orange Cyberdefense, have observed several exploitation campaigns leveraging these vulnerabilities, raising concerns about the potential for widespread compromise of FortiWeb deployments. The U.S. CISA has added the new Fortinet FortiWeb flaw to its Known Exploited Vulnerabilities catalog, underscoring the urgency for organizations to apply the latest patches. The incidents highlight ongoing risks in supply chain and critical infrastructure security, as attackers increasingly target widely deployed security appliances with zero-day exploits.
1 months ago