CISA issues update to Known Exploited Vulnerabilities Catalog including Fortinet flaw

The Cybersecurity and Infrastructure Security Agency (CISA) has incorporated a new vulnerability affecting Fortinet FortiWeb products into its Known Exploited Vulnerabilities (KEV) Catalog. This flaw involves a path traversal issue and carries a risk of unauthorized system access due to active exploitation evidence.

The newly listed vulnerability is identified as CVE-2025-64446. It impacts Fortinet FortiWeb devices through a path traversal vulnerability, allowing exploitation under specific conditions. This vulnerability has been confirmed as actively exploited and is now recognized as posing a security risk to affected systems.

The consequences of this vulnerability include exposure to unauthorized access or control over vulnerable equipment, creating potential entry points for malicious activities within impacted environments.

In response, CISA's Binding Operational Directive (BOD) 22-01 requires Federal Civilian Executive Branch agencies to remediate KEV, including this one, by designated deadlines. While this directive binds federal agencies, CISA advises all organizations to prioritize mitigation efforts for vulnerabilities cataloged in the KEV to reduce susceptibility to exploitation.

CISA maintains the KEV Catalog as an evolving list of CVEs with documented active exploitation and continues to update it following established criteria. The agency recommends adherence to the directive for applicable entities and encourages widespread attention to the vulnerabilities cataloged.

Cloudbrink updates AI features on secure connectivity platform

Atos named leader in ISG AI-driven application services

Fortinet expands FortiCNAPP with network and data context