In the relentless battle for digital security, the trust between organizations and their technology vendors serves as a critical line of defense, but recent events surrounding two actively exploited vulnerabilities in Fortinet’s FortiWeb products have cast a harsh spotlight on the potential fragility of this alliance. These critical flaws, found within the company’s popular web application firewall, are not only being leveraged by threat actors in the wild but have also sparked a broader, more troubling conversation about vendor transparency and disclosure practices. The controversy stems from revelations that the scope of the vulnerabilities is far wider than initially communicated and that crucial information was withheld from security teams during the early stages of exploitation, leaving them ill-equipped to defend their networks against an ongoing threat. This situation raises pressing questions about whether defenders are being given the timely and complete intelligence they need to stay ahead of adversaries.
An Expanding Threat Surface
At the heart of the issue are two specific security flaws: a relative path traversal vulnerability tracked as CVE-2025-64446 and an operating system command injection flaw, CVE-2025-58034. When Fortinet first acknowledged these issues in a November advisory, the company’s guidance indicated that only FortiWeb versions 7.x and 8.x were affected, prompting customers on those platforms to take immediate action. However, subsequent independent analysis by security researchers at Rapid7 painted a more alarming picture. Principal security researcher Stephen Fewer discovered that both vulnerabilities also impact older, unsupported FortiWeb 6.x versions. This finding dramatically expands the potential attack surface, roping in a significant number of organizations that may still be running these legacy systems. Because these versions are no longer supported, they do not receive official patches or security updates, placing them in a permanently vulnerable state and making them low-hanging fruit for attackers scanning for unpatched systems.
The gravity of these vulnerabilities was further underscored by their swift addition to the Cybersecurity and Infrastructure Security Agency’s (CISA) Known Exploited Vulnerabilities (KEV) catalog. Inclusion in the KEV catalog is not merely a recommendation; it serves as a binding operational directive for U.S. federal civilian executive branch agencies to remediate identified flaws within a strict timeframe and acts as a de facto priority list for the broader cybersecurity community. This official recognition of active exploitation validates the immediate and significant risk posed by the FortiWeb flaws. For organizations running the newly identified vulnerable 6.x systems, this news was particularly dire. They were suddenly confronted with the reality that their legacy infrastructure, which they may have believed was unaffected based on the initial vendor advisory, was in fact a prime target for active threat campaigns, forcing them into a difficult position of finding alternative mitigations for unsupported hardware.
The Perils of Silent Patching
Beyond the expanded scope of the vulnerabilities, it is Fortinet’s disclosure methodology that has drawn the most significant criticism from security professionals. The company was censured for its initial handling of CVE-2025-64446, for which it reportedly issued a “silent patch” in October. This practice involves releasing a software update that fixes a security flaw without simultaneously publishing a corresponding CVE identifier or a formal security advisory detailing the nature and severity of the vulnerability. For cybersecurity defenders, this approach is deeply problematic. Modern security operations rely heavily on automated systems, such as vulnerability scanners and threat intelligence platforms, which use CVE identifiers to detect risks and trigger response workflows. Without this crucial identifier, security teams remain unaware of the threat, unable to properly assess its potential impact on their organization, prioritize the deployment of the patch, or proactively hunt for indicators of compromise within their networks.
This lack of transparency effectively hobbles defensive efforts, a sentiment echoed by Rapid7 researcher Ryan Emmons, who described the practice as a “huge kneecap for defenders.” By the time Fortinet officially disclosed the vulnerability and assigned it a CVE in November, threat actors were already exploiting it in the wild. This created a dangerous window of opportunity for attackers, who operated with a significant advantage over security teams that were kept in the dark. Defenders were thrust into a reactive posture, scrambling to triage, patch, and investigate a threat that had been festering in their environment for weeks. Such incidents erode the foundational trust between vendors and the cybersecurity community, a relationship that hinges on the principle of timely, accurate, and transparent communication to mount a collective and effective defense against shared adversaries. The episode serves as a stark reminder that the speed of disclosure is as critical as the patch itself.
Redefining Vendor Responsibility
The incident involving the FortiWeb vulnerabilities ultimately underscored a critical need for a re-evaluation of vendor disclosure norms across the industry. The conversation swiftly evolved from the technical details of path traversals and command injections to the more fundamental, ethical responsibility that security vendors held toward their customers and the broader digital ecosystem. The delayed and incomplete information provided by Fortinet left countless organizations unknowingly exposed and forced a reactive, high-stress response from security teams that could have been mitigated with more transparent communication. This episode served as a powerful testament to the idea that transparency is not a mere courtesy but a non-negotiable cornerstone of collective cybersecurity. The fallout prompted renewed and urgent calls for stronger industry-wide standards for vulnerability disclosure, championing a future where defenders are empowered with the timely intelligence required to act decisively, rather than being left to uncover threats only after the damage was already done.