Defense delayed due to silent patching: While Fortinet officially published an advisory for CVE-2025-64446 on November 14, 2025, the vendor’s earlier version release note made no mention of the vulnerability or the fix, leading to criticism that the patch was applied silently.”Silently patching vulnerabilities is an established bad practice that enables attackers and harms defenders, particularly for devices and systems (including FortiWeb) that have previously been exploited in the wild,” Condon complained. “We already know security by obscurity doesn’t work; adversaries monitor new product releases and are actively reverse engineering patches regardless of whether suppliers tell their customers about fixed vulnerabilities or not.”VulnCheck had reported nearly 300 internet-facing FortiWeb instances via Shodan and a broader ~2700 via FOFA, all potentially vulnerable.Affected versions include 7.0.0 through 7.0.11, 7.2.0 through 7.2.11, 7.4.0 through 7.4.9, 7.6.0 through 7.6.4, and 8.0.0 through 8.0.1. Fixes are applied in releases 7.0.12, 7.2.12, 7.4.10, 7.6.5, and 8.0.2. Fortinet recommends disabling HTTP or HTTPS for internet-facing interfaces for customers who cannot immediately upgrade. “If the HTTP/HTTPS Management interface is internally accessible only as per best practice, the risk is significantly reduced,” the company added.
First seen on csoonline.com
Jump to article: www.csoonline.com/article/4091939/fortinets-silent-patch-sparks-alarm-as-a-critical-fortiweb-flaw-is-exploited-in-the-wild.html
