Multiple Critical Vulnerabilities in Fortinet Security Products
Fortinet has disclosed several high-severity vulnerabilities affecting its security product lines, including FortiWeb, FortiVoice, and FortiSandbox. Notable issues include a cookie forgery vulnerability in FortiWeb (CVE-2025-64447) that allows unauthenticated attackers to execute arbitrary operations via forged cookies, provided they know the device's serial number, and an improper verification of cryptographic signatures in FortiWeb (CVE-2025-59719) that enables unauthenticated attackers to bypass FortiCloud SSO login authentication using crafted SAML responses. Additionally, FortiVoice is impacted by a path traversal vulnerability (CVE-2025-60024) permitting privileged authenticated attackers to write arbitrary files, and FortiSandbox suffers from an OS command injection flaw (CVE-2025-53949) that allows authenticated attackers to execute unauthorized code on the underlying system through crafted HTTP requests.
All vulnerabilities are remotely exploitable and have been assigned high or critical CVSS scores, with the FortiWeb authentication bypass rated as critical (CVSS 9.8/10). Fortinet has released security advisories and patches for the affected versions, urging customers to update their systems promptly to mitigate the risk of exploitation. Security researchers and vendors have highlighted the urgency of these patches due to the potential for unauthenticated remote attacks and the critical role these products play in enterprise security architectures.
Related Entities
Sources
Related Stories
Multiple Critical Vulnerabilities Disclosed in Fortinet FortiSandbox and FortiWeb Products
Fortinet has addressed several critical vulnerabilities affecting its FortiSandbox and FortiWeb products, with public advisories and technical details released on December 16, 2025. The most severe issues impact FortiSandbox, where multiple command injection vulnerabilities (CVE-2025-53949) allow authenticated attackers to execute arbitrary code as root via the `admindel_confirm`, `name`, and `upload_vdi_file` parameters. Additionally, a cross-site scripting vulnerability (CVE-2025-54353) in the `hcproxy` component could enable remote code execution with minimal user interaction. Fortinet has released patches for these flaws, and users are strongly advised to update affected systems immediately. For FortiWeb, a critical authentication bypass vulnerability (CVE-2025-64447) was disclosed, stemming from improper verification of cryptographic signatures in the `ApacheCookie_parse` method, allowing unauthenticated attackers to gain access. These disclosures follow recent reports of active exploitation of a separate FortiWeb vulnerability (CVE-2025-64446), which enables unauthenticated attackers to create rogue administrator accounts and fully compromise exposed devices. Organizations using FortiWeb and FortiSandbox should review the official advisories and apply the recommended mitigations to prevent exploitation.
3 months agoMultiple Vulnerabilities in Fortinet Products Enable Arbitrary Code Execution and Information Disclosure
Several Fortinet products, including FortiWeb, FortiClient, FortiExtender, FortiMail, FortiPAM, FortiSandbox, FortiADC, FortiVoice, FortiOS, and FortiProxy, have been found to contain multiple vulnerabilities, some of which could allow for arbitrary code execution. The most severe of these vulnerabilities, such as the FortiWeb RCE flaw (CVE-2025-58034), is under active exploitation and has been added to CISA's Known Exploited Vulnerabilities (KEV) catalog. Additionally, a vulnerability in FortiClient for Windows involving active debug code could allow a local attacker to retrieve saved VPN user passwords, posing a significant risk of information disclosure. Security advisories urge organizations using affected Fortinet products to review available patches and mitigations immediately. The vulnerabilities impact a wide range of Fortinet's security and networking solutions, increasing the urgency for prompt remediation to prevent potential exploitation and compromise of sensitive assets.
3 months agoFortinet FortiWeb Zero-Day Vulnerabilities Exploited in the Wild
Fortinet has disclosed two significant vulnerabilities in its FortiWeb product, CVE-2025-58034 and CVE-2025-64446, both of which have been actively exploited in the wild. The first, CVE-2025-58034, is a medium-severity OS command injection flaw that allows authenticated attackers to execute unauthorized code via crafted HTTP requests or CLI commands. The second, CVE-2025-64446, is a critical vulnerability that can be chained with the first to facilitate authentication bypass and further command injection. Fortinet has released patches in version 8.0.2 to address these issues, but the company has faced criticism for its handling and staggered disclosure of the flaws, with some suggesting the delay was to allow customers time to patch before publicizing the risks. Security researchers, including Orange Cyberdefense, have observed several exploitation campaigns leveraging these vulnerabilities, raising concerns about the potential for widespread compromise of FortiWeb deployments. The U.S. CISA has added the new Fortinet FortiWeb flaw to its Known Exploited Vulnerabilities catalog, underscoring the urgency for organizations to apply the latest patches. The incidents highlight ongoing risks in supply chain and critical infrastructure security, as attackers increasingly target widely deployed security appliances with zero-day exploits.
3 months ago