Exploited Critical Fortinet Flaws Expose FortiWeb and FortiManager to Takeover
Fortinet disclosed two critical vulnerabilities affecting FortiWeb and FortiManager, both of which have been exploited in the wild and can lead to full device compromise. In FortiWeb, multiple versions are affected by an unauthenticated SQL injection flaw that lets attackers send crafted HTTP or HTTPS requests to execute unauthorized SQL commands, bypass access controls, read sensitive configuration and user data, alter or delete database records, and potentially escalate to complete system takeover. Fortinet advised customers to upgrade immediately to fixed releases or disable the HTTP/HTTPS management interface as a temporary workaround.
In FortiManager, the critical flaw tracked as CVE-2024-47575 allows unauthenticated remote code execution and remote command execution, with exploitation observed globally and against Finnish organizations. A successful attack can give intruders control of vulnerable FortiManager systems and expose connected device configuration data and passwords. Fortinet issued patches for most affected branches, while FortiManager Cloud 6.4 has no fix and must be upgraded; the company also warned that if exploitation is suspected, patching alone is insufficient and organizations should perform a full incident investigation using Fortinet’s compromise-assessment guidance.
Timeline
Jul 14, 2025
Fortinet issues patches and workaround for FortiWeb flaw
Fortinet recommended immediate upgrades to fixed FortiWeb versions for affected 7.0, 7.2, 7.4, and 7.6 branches. As a workaround, organizations unable to patch were advised to disable the HTTP/HTTPS management interface.
Jul 14, 2025
Fortinet discloses exploited FortiWeb SQL injection vulnerability
Fortinet disclosed a critical SQL injection vulnerability affecting multiple FortiWeb versions that allows unauthenticated attackers to execute unauthorized SQL commands via crafted HTTP or HTTPS requests. The issue was reported as actively exploited and could lead to access-control bypass, data exposure or modification, and possible full system compromise.
Oct 23, 2024
Finnish organizations targeted via FortiManager vulnerability exploitation
The Finnish National Cyber Security Centre reported exploitation attempts against Finnish organizations targeting the FortiManager flaw CVE-2024-47575. Successful exploitation could allow takeover of vulnerable FortiManager systems and theft of sensitive configuration data and passwords.
Oct 23, 2024
Fortinet fixes exploited FortiManager RCE flaw CVE-2024-47575
Fortinet released security updates for a critical FortiManager vulnerability, CVE-2024-47575, that allows unauthenticated remote code execution and remote command execution. The company said the flaw had already been exploited in the wild globally and published compromise-checking and mitigation guidance.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Related Entities
Vulnerabilities
Organizations
Affected Products
Sources
Related Stories
Active Exploitation of FortiWeb OS Command Injection Vulnerabilities
Fortinet has disclosed multiple vulnerabilities in its FortiWeb web application firewall, including a critical OS command injection flaw tracked as CVE-2025-64446 and another actively exploited vulnerability, CVE-2025-58034. These vulnerabilities allow authenticated attackers to execute unauthorized code or commands on affected FortiWeb systems via crafted HTTP requests or CLI commands. Fortinet has observed exploitation of these flaws in the wild and has released security updates to address the issues, urging customers to upgrade to the latest versions to mitigate risk. The vulnerabilities impact several FortiWeb versions, and Fortinet has credited researchers from Trend Micro for responsible disclosure. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has responded by mandating that all federal civilian agencies patch CVE-2025-64446 within seven days, highlighting the severity and active exploitation of the bug. Security researchers have noted that attackers are using HTTP POST requests to create new admin-level accounts on exposed devices, and CISA has recommended disabling HTTP/HTTPS on internet-facing interfaces if immediate patching is not possible. Fortinet has communicated directly with affected customers and emphasized the importance of prompt remediation to prevent further compromise of FortiWeb deployments.
1 months ago
Active Exploitation of FortiWeb Command Injection Vulnerability (CVE-2025-58034)
Attackers are actively exploiting a command injection vulnerability in Fortinet FortiWeb, tracked as CVE-2025-58034, which allows authenticated users to execute unauthorized code on affected systems. The flaw, caused by improper neutralization of special elements in the `policy_scripting_post_handler` method, enables code execution as root via crafted HTTP requests or CLI commands. Fortinet released patches for affected FortiWeb versions between October 23 and 31, 2025, but did not publicly disclose the vulnerability at the time. The issue was privately reported by a Trend Micro researcher, and both Fortinet and CISA have confirmed active exploitation, with CISA adding the CVE to its Known Exploited Vulnerabilities catalog and mandating rapid remediation for US federal agencies. Security researchers warn that proof-of-concept code for CVE-2025-58034 may soon be publicly available, increasing the risk of widespread attacks. There is currently no workaround for this vulnerability, and organizations are urged to upgrade to the fixed FortiWeb versions immediately and check for signs of compromise. The vulnerability requires authentication to exploit, but successful exploitation grants attackers root-level access. The disclosure timeline shows the vulnerability was reported in June 2025 and publicly disclosed in November 2025, with coordinated advisories from both Fortinet and the Zero Day Initiative.
1 months ago
Critical Fortinet FortiOS and FortiProxy Flaws Enable Remote Compromise
Fortinet disclosed multiple critical vulnerabilities in **FortiOS** and related products, including an authentication bypass in **FortiOS** and **FortiProxy** that can grant attackers **super-admin privileges** and is being **actively exploited in the wild**. The flaw can be triggered through specially crafted requests to the **Node.js websocket module** and affects FortiOS `7.0.0` through `7.0.16`, FortiProxy `7.2.0` through `7.2.12`, and FortiProxy `7.0.0` through `7.0.19`. Organizations were told to upgrade to FortiOS `7.0.17+`, FortiProxy `7.2.13+`, or FortiProxy `7.0.20+`, and to apply Fortinet’s recommended mitigations immediately. Separate Fortinet advisories also warned of critical flaws **CVE-2024-21762** and **CVE-2024-23113**, affecting **FortiOS, FortiProxy, FortiPAM, and FortiSwitchManager**. **CVE-2024-21762** carries a **CVSS 9.6** rating, while **CVE-2024-23113** is rated **CVSS 9.8**; both require urgent patching to fixed versions identified by Fortinet. Fortinet and national cyber authorities said defenders should prioritize upgrades across exposed appliances, and for `CVE-2024-21762`, disabling the **SSL VPN** feature can reduce exposure until patches are applied.
1 weeks ago