Multiple Critical Vulnerabilities in Fortinet Security Products
Fortinet has disclosed several high-severity vulnerabilities affecting its security product lines, including FortiWeb, FortiVoice, and FortiSandbox. Notable issues include a cookie forgery vulnerability in FortiWeb (CVE-2025-64447) that allows unauthenticated attackers to execute arbitrary operations via forged cookies, provided they know the device's serial number, and an improper verification of cryptographic signatures in FortiWeb (CVE-2025-59719) that enables unauthenticated attackers to bypass FortiCloud SSO login authentication using crafted SAML responses. Additionally, FortiVoice is impacted by a path traversal vulnerability (CVE-2025-60024) permitting privileged authenticated attackers to write arbitrary files, and FortiSandbox suffers from an OS command injection flaw (CVE-2025-53949) that allows authenticated attackers to execute unauthorized code on the underlying system through crafted HTTP requests.
All vulnerabilities are remotely exploitable and have been assigned high or critical CVSS scores, with the FortiWeb authentication bypass rated as critical (CVSS 9.8/10). Fortinet has released security advisories and patches for the affected versions, urging customers to update their systems promptly to mitigate the risk of exploitation. Security researchers and vendors have highlighted the urgency of these patches due to the potential for unauthenticated remote attacks and the critical role these products play in enterprise security architectures.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
4 events from the most recent confirmed update back to the earliest known activity.
Fortinet PSIRT discloses FortiWeb cookie forgery vulnerability
Fortinet PSIRT disclosed CVE-2025-64447, a high-severity FortiWeb vulnerability caused by improper reliance on cookies without validation or integrity checking. The flaw affects several FortiWeb branches and allows unauthenticated attackers who know the device serial number to perform arbitrary operations via crafted HTTP or HTTPS requests with forged cookies.
Fortinet publicly discloses FortiSandbox OS command injection flaw
Fortinet disclosed CVE-2025-53949, a high-severity OS command injection vulnerability in FortiSandbox affecting versions 5.0.0 through 5.0.2, 4.4.0 through 4.4.7, and all 4.2.x and 4.0.x releases. The issue allows an authenticated attacker to execute unauthorized code through crafted HTTP requests, and Fortinet recommended upgrading to patched versions.
Fortinet PSIRT publishes FortiVoice path traversal advisory
Fortinet PSIRT published advisory FG-IR-25-812 for CVE-2025-60024, a high-severity path traversal flaw in FortiVoice. The vulnerability affects FortiVoice 7.2.0 through 7.2.2 and 7.0.0 through 7.0.7 and may let a privileged authenticated attacker write arbitrary files via crafted HTTP or HTTPS commands.
Fortinet discloses FortiWeb SAML authentication bypass vulnerability
Fortinet disclosed a critical FortiWeb vulnerability, tracked as CVE-2025-59719, caused by improper verification of cryptographic signatures. The flaw affects multiple FortiWeb versions and allows unauthenticated attackers to bypass FortiCloud SSO login authentication using a crafted SAML response; patches were released.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
4 references tracked. Mallory keeps watching after this page renders.
CVE-2025-64447 - Fortinet FortiWeb Cookie Forgery Vulnerability
cvefeed.io
Open sourceCVE-2025-60024 - Fortinet FortiVoice Path Traversal
cvefeed.io
Open sourceCVE-2025-53949 - Fortinet FortiSandbox OS Command Injection
cvefeed.io
Open sourceCVE-2025-59719
tenable.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Multiple Critical Vulnerabilities Disclosed in Fortinet FortiSandbox and FortiWeb Products
Fortinet has addressed several critical vulnerabilities affecting its FortiSandbox and FortiWeb products, with public advisories and technical details released on December 16, 2025. The most severe issues impact FortiSandbox, where multiple command injection vulnerabilities (CVE-2025-53949) allow authenticated attackers to execute arbitrary code as root via the `admindel_confirm`, `name`, and `upload_vdi_file` parameters. Additionally, a cross-site scripting vulnerability (CVE-2025-54353) in the `hcproxy` component could enable remote code execution with minimal user interaction. Fortinet has released patches for these flaws, and users are strongly advised to update affected systems immediately. For FortiWeb, a critical authentication bypass vulnerability (CVE-2025-64447) was disclosed, stemming from improper verification of cryptographic signatures in the `ApacheCookie_parse` method, allowing unauthenticated attackers to gain access. These disclosures follow recent reports of active exploitation of a separate FortiWeb vulnerability (CVE-2025-64446), which enables unauthenticated attackers to create rogue administrator accounts and fully compromise exposed devices. Organizations using FortiWeb and FortiSandbox should review the official advisories and apply the recommended mitigations to prevent exploitation.
Mar 21, 2026
Multiple Vulnerabilities in Fortinet Products Enable Arbitrary Code Execution and Information Disclosure
Several Fortinet products, including FortiWeb, FortiClient, FortiExtender, FortiMail, FortiPAM, FortiSandbox, FortiADC, FortiVoice, FortiOS, and FortiProxy, have been found to contain multiple vulnerabilities, some of which could allow for arbitrary code execution. The most severe of these vulnerabilities, such as the FortiWeb RCE flaw (CVE-2025-58034), is under active exploitation and has been added to CISA's Known Exploited Vulnerabilities (KEV) catalog. Additionally, a vulnerability in FortiClient for Windows involving active debug code could allow a local attacker to retrieve saved VPN user passwords, posing a significant risk of information disclosure. Security advisories urge organizations using affected Fortinet products to review available patches and mitigations immediately. The vulnerabilities impact a wide range of Fortinet's security and networking solutions, increasing the urgency for prompt remediation to prevent potential exploitation and compromise of sensitive assets.
Mar 21, 2026
Fortinet FortiWeb Zero-Day Vulnerabilities Exploited in the Wild
Fortinet has disclosed two significant vulnerabilities in its FortiWeb product, CVE-2025-58034 and CVE-2025-64446, both of which have been actively exploited in the wild. The first, CVE-2025-58034, is a medium-severity OS command injection flaw that allows authenticated attackers to execute unauthorized code via crafted HTTP requests or CLI commands. The second, CVE-2025-64446, is a critical vulnerability that can be chained with the first to facilitate authentication bypass and further command injection. Fortinet has released patches in version 8.0.2 to address these issues, but the company has faced criticism for its handling and staggered disclosure of the flaws, with some suggesting the delay was to allow customers time to patch before publicizing the risks. Security researchers, including Orange Cyberdefense, have observed several exploitation campaigns leveraging these vulnerabilities, raising concerns about the potential for widespread compromise of FortiWeb deployments. The U.S. CISA has added the new Fortinet FortiWeb flaw to its Known Exploited Vulnerabilities catalog, underscoring the urgency for organizations to apply the latest patches. The incidents highlight ongoing risks in supply chain and critical infrastructure security, as attackers increasingly target widely deployed security appliances with zero-day exploits.
Mar 21, 2026