This alert refers to a critical situation where attackers are chaining together two vulnerabilities to take full control of FortiWeb Web Application Firewalls (WAFs).
1. The “One-Two Punch” Attack
Attackers are currently combining (chaining) two separate flaws to hack devices:
- Step 1 (The Key): They use CVE-2025-64446 (Authentication Bypass). This allows an attacker to bypass the login screen and become an “admin” without a password.
- Step 2 (The Weapon): Once they are “admin,” they use CVE-2025-58034 (Command Injection). This allows them to run malicious commands on the server to steal data, install ransomware, or pivot into your internal network.
2. Why “Check 6.x” is Critical
This is the most dangerous part of the alert.
- Hidden Risk: While Fortinet’s official advisory lists versions 7.0 through 8.0 as vulnerable, security researchers (specifically at Rapid7) discovered that older, unsupported FortiWeb 6.x versions are also vulnerable to these attacks.
- No Patch: Because version 6.x is End-of-Life (EOL), Fortinet is unlikely to release a patch for it.
- The Danger: If you are running version 6.x, you are likely fully exposed with no software fix available. You must replace these appliances or completely isolate them from the internet immediately.
3. Remediation Action Plan
- For Supported Versions (7.0 – 8.0): You must upgrade to the “safe” versions immediately:
- v8.0.x $\rightarrow$ Update to 8.0.2 or higher.
- v7.x $\rightarrow$ Update to the latest patched version (e.g., 7.6.5+, 7.4.10+, 7.2.12+, 7.0.12+).
- For Unsupported Versions (6.x):
- Immediate Mitigation: Disconnect the management interface from the internet. Block all external access to the device.
- Long-term: Decommission and replace the hardware.
Summary: Attackers are actively hunting for these devices. If you have a FortiWeb on version 6.x, it is a sitting duck. If you are on 7.x or 8.0.x, you need to patch active partitions now.
Comments are closed