Cyber Alert: Critical Vulnerability Affecting Fortinet FortiWeb Products

Kopiha Nathan
Decorative imagery for cyber alert notices - a figure sitting atop a laptop with a lock next to it.

Attention HIROC Subscribers:

As your proactive partner in safety, HIROC is sharing the following important notice.

Please share this Alert with your Information Technology (IT) team, Information Security Management team, Chief Information Officer, and Chief Technology Officer and, as appropriate, with your users, to raise awareness about a potential cyber threat and to address potential risks promptly.

The purpose of this Alert is to raise awareness about a recently reported critical vulnerability affecting Fortinet FortiWeb, a web application firewall and to highlight the urgent actions required to protect your infrastructure.

HIROC has become aware, through a public advisory from the Canadian Centre for Cyber Security and the U.S. Cybersecurity and Infrastructure Security Agency (CISA), of a Fortinet FortiWeb vulnerability that allows an unauthenticated malicious actor to execute administrative commands on a system through specifically crafted HTTP or HTTPS requests. This relative path traversal vulnerability, tracked as CVE-2025-64446, has been added to the Known Exploited Vulnerabilities (KEV) Catalog based on evidence of exploitation in the wild.

Recognizing that this type of vulnerability Is widely exploited as attack vector by cybercriminals and poses significant risks to infrastructure, CISA has mandated that U.S. federal agencies to patch their impacted FortiWeb products by November 21.

HIROC recommends that Subscribers take inventory of all Fortinet web application firewalls in use and verify if the product versions are impacted. If impacted products are identified, HIROC strongly recommends taking immediate action to apply the necessary patches and updates as recommended by Fortinet.

Recommended Actions

HIROC recommends the following for our Subscribers:

  • Review and update the following Fortinet products based on Fortinet’s guidance - see chart below.
  • If the patching or upgrades cannot be applied in a timely manner, consider the criticality of the impacted environment, available compensating controls, and disconnecting from the internet until the patches can be applied.
  • Monitor for indicators of compromise, including, but not limited to configuration changes, unexpected modifications or additions of unauthorized administrator accounts, evidence of requests to the fwbcgi path, activities from identified suspicious IP addresses.  
  • Should you discover activity matching the content of this Alert, recipients are encouraged to report via Cyber Centre Incident Management: https://www.cyber.gc.ca/en/incident-management, or email [email protected].
     
VersionAffectedSolution
FortiWeb 8.0 8.0.0 through 8.0.1Upgrade to 8.0.2 or above
FortiWeb 7.6 7.6.0 through 7.6.4Upgrade to 7.6.5 or above
FortiWeb 7.47.4.0 through 7.4.9Upgrade to 7.4.10 or above
FortiWeb 7.27.2.0 through 7.2.11Upgrade to 7.2.12 or above
FortiWeb 7.07.0.0 through 7.0.11Upgrade to 7.0.12 or above


We are here for you!

In the event of a cyber loss, please contact HIROC’s Claims Department at [email protected].

For Healthcare Safety and Risk Management resources and advice, please contact us at [email protected].

If you have any questions about this Alert, please contact Kopiha Nathan, HIROC’s Privacy and Compliance Officer at [email protected].

Thank you for your vigilance and attention to this matter.


Additional Resources