News of a critical vulnerability in Fortinet’s FortiWeb firewall product has raised concerns about disclosure practices in the cybersecurity industry. The web application firewall flaw, tracked as CVE-2025-64446, has been targeted by attackers, leading to rapid recommendations from federal agencies and security researchers. Organizations relying on FortiWeb have been urged to act quickly after evidence of widespread exploitation came to light. This incident has put Fortinet’s communication and response methods under scrutiny, prompting conversations about how vendors notify users when security risks are discovered. Many security teams now reconsider their reliance on timely updates from software providers.
Security advisories about Fortinet products are not uncommon, but previous flaws were typically disclosed more promptly. Historically, Fortinet often assigned identifiers and released public advisories together with security updates, which gave customers clear guidance and reduced the window of exposure. Analysts now point out that the delay in public notification for CVE-2025-64446 is out of step with these past practices, leading to increased risk for organizations that depend on timely alerts to safeguard their systems.
Why Did Notification Lag Behind the Initial Patch?
Although Fortinet addressed the vulnerability with a software patch for FortiWeb on October 28, the flaw was not publicly documented nor given a CVE identifier for more than two weeks. During this time, some customers had not upgraded to FortiWeb 8.0.2 and thus remained subject to attack. Threat researchers note that failing to share information about the critical flaw caused confusion and limited the ability of organizations and security professionals to gauge their level of exposure or to prioritize remedial actions.
What Risks Does the FortiWeb Flaw Pose?
CVE-2025-64446 allows malicious actors to perform path traversal, enabling unauthorized execution of administrative commands on vulnerable FortiWeb devices. Attackers actively exploited the flaw to create privileged accounts and potentially gain persistent access. Security agencies such as the Cybersecurity and Infrastructure Security Agency (CISA) responded by adding the vulnerability to their known exploited catalog and imposing a seven-day mitigation deadline for federal agencies. Stepping up their technical response, cybersecurity researchers also published proof-of-concept exploits and scanning tools to identify at-risk systems.
How Has Fortinet Addressed Customer Concerns?
Fortinet has stated it worked on the vulnerability as soon as it became aware of the issue. The company emphasized a balance between customer security and open communication.
“Fortinet diligently balances our commitment to the security of our customers and our culture of responsible transparency,”
a company spokesperson commented. Communications with affected users are ongoing, with the spokesperson adding,
“With that goal and principle top of mind, we are communicating directly with affected customers to advise on any necessary recommended actions.”
Despite these reassurances, external researchers express frustration over insufficient public guidance and the delayed sequence of updates and notification.
Technical experts and industry observers largely attribute the escalation of active attacks to the interval between patch release and public disclosure. While Fortinet maintains that actions were taken promptly, evidence points to attackers exploiting the window of silence to establish unauthorized access. As a result, organizations that delayed patching in line with standard procedures now face increased risk and complicated remediation efforts. The lingering uncertainty about potential victims highlights broader challenges in how critical vulnerabilities are reported, categorized, and remediated in the cybersecurity landscape.
This situation spotlights a recurring dilemma for defenders: balancing speedy patch deployment with operational stability, especially when updates are not flagged as urgent. For organizations using FortiWeb, keeping pace with emerging threats depends partly on the transparency and coordination from vendors such as Fortinet. When warnings lag behind exploitation, risk increases not only for individual customers but also for the broader ecosystem. Decision-makers must weigh the value of systematic change control against the threats arising from incomplete or ambiguous advisories. This incident may serve as a reminder for organizations to refine their vulnerability management processes and for vendors to strengthen cooperative disclosure—helping defenders to respond more effectively when new flaws are discovered.
