Critical Alert: Cybercriminals Actively Exploiting Vulnerabilities in Fortinet, Cisco, VMware, and WatchGuard Systems
Executive Summary
Organizations worldwide face an unprecedented wave of actively exploited vulnerabilities affecting critical network infrastructure from major cybersecurity vendors. As of November 2025, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added multiple high-severity vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog, with threat actors demonstrating sophisticated exploitation techniques against Fortinet FortiWeb, Cisco ASA/FTD firewalls, VMware Aria Operations, and WatchGuard Firebox devices.
Breached Company
These vulnerabilities are not theoretical risks—they are being weaponized in active attack campaigns, with some linked to state-sponsored threat actors. Federal agencies face strict remediation deadlines, and private sector organizations must act immediately to protect their infrastructure.
Current Threat Landscape: November 2025
Attack Volume and Scope
The cybersecurity community is witnessing an alarming escalation in vulnerability exploitation:
- Over 54,000 vulnerable WatchGuard Firebox devices exposed globally as of November 12, 2025
- Approximately 48,000 unpatched Cisco ASA/FTD appliances remain internet-facing despite repeated warnings
- Active exploitation confirmed across all major vendor platforms within days of patch releases
- State-sponsored threat actors (UAT4356/Storm-1849) linked to sophisticated attack campaigns
Critical Vulnerabilities Under Active Exploitation
1. Fortinet FortiWeb Authentication Bypass (CVE-2025-64446)
Severity: Critical (CVSS 9.1)
Status: Actively exploited since October 2025
CISA KEV Added: November 14, 2025
Remediation Deadline: November 21, 2025
Vulnerability Details
Fortinet FortiWeb web application firewalls contain a critical path traversal vulnerability that allows unauthenticated attackers to execute administrative commands on vulnerable systems. The flaw affects multiple FortiWeb versions:
- FortiWeb 8.0.0 through 8.0.1
- FortiWeb 7.6.0 through 7.6.4
- FortiWeb 7.4.0 through 7.4.9
- FortiWeb 7.2.0 through 7.2.11
- FortiWeb 7.0.0 through 7.0.11
Attack Methodology
Attackers exploit this vulnerability by sending specially crafted HTTP POST requests to vulnerable endpoints:
POST /api/v2.0/cmdb/system/admin?/../../../../../cgi-bin/fwbcgi HTTP/1.1
This path traversal technique bypasses authentication controls, allowing threat actors to create new administrative accounts with full device control. Security researchers observed exploitation attempts as early as October 6, 2025, with public proof-of-concept code accelerating attack activity.
Impact Assessment
Successful exploitation enables attackers to:
- Gain complete administrative control over FortiWeb devices
- Modify security policies and firewall rules
- Intercept and manipulate web application traffic
- Establish persistent backdoor access
- Disable logging mechanisms to cover their tracks
Immediate Actions Required
- Upgrade to patched versions immediately:
- FortiWeb 8.0.2 or later
- FortiWeb 7.6.5 or later
- FortiWeb 7.4.10 or later
- FortiWeb 7.2.12 or later
- FortiWeb 7.0.12 or later
- Temporary mitigation if patching is not immediately possible:
- Disable HTTP/HTTPS access on internet-facing management interfaces
- Restrict management interface access to internal networks only
- Monitor for unauthorized administrative account creation
- Incident response activities:
- Review all administrative accounts for unauthorized additions
- Examine logs for suspicious API calls to
/api/v2.0/cmdb/system/admin - Check for base64-encoded CGIINFO headers in HTTP requests
- Investigate any unexpected system reboots or configuration changes
2. Cisco ASA/FTD Critical Vulnerability Chain (CVE-2025-20333, CVE-2025-20362)
Severity: Critical (CVE-2025-20333: CVSS 9.9, CVE-2025-20362: CVSS 8.1)
Status: Exploited as zero-days since May 2025
CISA Emergency Directive: ED 25-03 issued September 25, 2025
Attribution: UAT4356/Storm-1849 (China-linked threat actor)
