Fortinet faced criticism for silently patching **two zero-day vulnerabilities** in its **FortiWeb web application firewall (WAF)** without adequately informing customers. The first, **CVE-2025-64446 (FG-IR-25-910)**, disclosed on **November 14**, is a **critical** flaw (CVSS 9.4) combining **path traversal** and **authentication bypass** weaknesses in the GUI. The second, **CVE-2025-58034 (FG-IR-25-513)**, revealed **four days later**, is part of the same attack chain. Both vulnerabilities were exploited in the wild before public disclosure, exposing organizations to **unauthorized access, data breaches, or system compromise**.The lack of transparency erodes trust, as customers were left unaware of active exploitation risks. While no **direct data theft or financial loss** was confirmed in the article, the **critical severity of the flaws**—particularly the authentication bypass—poses a **high risk of system takeover, lateral movement, or follow-on attacks** (e.g., ransomware, data exfiltration). The silent patching approach undermines incident response preparedness, potentially allowing threat actors to maintain persistence in compromised environments. The reputational damage from **poor vulnerability disclosure practices** further compounds the impact, as security researchers and customers question Fortinet’s commitment to transparency and proactive risk communication.
Fortinet cybersecurity rating report: https://www.rankiteo.com/company/fortinet
"id": "FOR1102211112125",
"linkid": "fortinet",
"type": "Vulnerability",
"date": "11/2025",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization’s existence"{'affected_entities': [{'industry': 'Cybersecurity',
'name': 'Fortinet',
'type': 'Corporation'}],
'attack_vector': ['Path traversal (CVE-2025-64446)',
'Authentication bypass (CVE-2025-64446)'],
'date_publicly_disclosed': ['2025-11-14', '2025-11-18'],
'description': 'Fortinet was criticized for silently patching two zero-day '
'vulnerabilities in its FortiWeb web application firewall '
'without informing customers. The vulnerabilities, '
'CVE-2025-64446 (critical, CVSS 9.4) and CVE-2025-58034, were '
'disclosed on November 14 and November 18, respectively. '
'CVE-2025-64446 includes a path traversal flaw and an '
'authentication bypass weakness, both part of the same attack '
'chain.',
'impact': {'brand_reputation_impact': 'Criticism for silent patching without '
'customer notification',
'systems_affected': ['FortiWeb web application firewall']},
'lessons_learned': 'Transparency in vulnerability disclosure and patching is '
'critical to maintain customer trust and security posture.',
'post_incident_analysis': {'root_causes': ['Silent patching of zero-day '
'vulnerabilities without customer '
'notification',
'Lack of transparency in '
'vulnerability management']},
'recommendations': ['Improve communication with customers regarding '
'vulnerability patches and potential risks.',
'Conduct thorough audits of patching processes to ensure '
'compliance with best practices for transparency.'],
'response': {'remediation_measures': ['Silent patching of vulnerabilities '
'(criticized for lack of '
'transparency)']},
'title': 'Fortinet FortiWeb Zero-Day Vulnerabilities Exploited in Attack '
'Chain',
'type': ['Zero-day exploitation', 'Vulnerability disclosure'],
'vulnerability_exploited': ['CVE-2025-64446 (FG-IR-25-910)',
'CVE-2025-58034 (FG-IR-25-513)']}