Fortinet FortiWeb Devices Targeted in New Zero-Day Attack Campaign

In October 2025, a previously unknown zero-day vulnerability in Fortinet’s FortiWeb Web Application Firewall (WAF) began being actively exploited in the wild. This critical flaw enables unauthenticated attackers to gain administrative access to FortiWeb devices via a specially crafted request to a vulnerable API endpoint. Security researchers from Defused Cyber, PwnDefend, and Rapid7 have confirmed exploitation, with public proof-of-concept (PoC) code already circulating online and being weaponized by threat actors. Despite no CVE being assigned yet, immediate mitigation is advised.

Severity: Critical

Vulnerability Details

• Discovered via honeypots deployed by Defused Cyber.
• The flaw appears to be a zero-day path traversal vulnerability in FortiWeb’s management interface, specifically targeting an HTTP POST endpoint:
  /api/v2.0/cmdb/system/admin%3F/../../../../../cgi-bin/fwbcgi
• This endpoint is abused to inject commands enabling creation of new admin-level local user accounts on the device – effectively bypassing authentication entirely.
• A PoC exploit was publicly demonstrated and confirmed functional against FortiWeb version 8.0.1, but fails against version 8.0.2, suggesting a possible silent patch.

Exploitation

• Attackers send POST requests to the API endpoint with malicious payloads.
• If successful, FortiWeb returns a 200 OK response and creates a user (e.g., “hax0r”).
• On devices running v8.0.2, the response is 403 Forbidden, indicating the vulnerability no longer exists or behavior has been altered.
• Usernames and Passwords Found in payloads:

Exploit Details

• PoC exploit demonstrated by WatchTowr show initial login failure, followed by payload submission, and finally successful login using newly created credentials.
• A black hat forum listed an exploit for FortiWeb on sale as of November 6, 2025.
• Attackers are spraying the exploit across the internet, especially where FortiWeb instances are exposed to the public.

Affected Versions

• Affected: FortiWeb v8.0.1 and earlier (susceptible to exploitation)
• Not affected: FortiWeb v8.0.2 (exploit appears ineffective)
• No official CVE or vendor advisory yet published as of November 14, 2025.

Recommendations

1. Upgrade FortiWeb to v8.0.2 (public exploit fails on this version) or above.
2. Continue monitoring Fortinet PSIRT advisory feed for official CVE and patch notice.
3. As an interim measure, it is recommended to remove the FortiWeb management interface from public internet exposure. Restrict access to FortiWeb Manager to internal-only IPs or VPN tunnels
4. Monitor creation of unexpected local admin users (e.g., hax0r, Testpoint, trader).
5. Block the IOCs at their respective controls
   https://www.virustotal.com/gui/collection/e0b64bdbefc221223dbf0aa16c3e5d6338ec26dd68810ca71f55309d477861f9/iocs

Source:

• https://www.pwndefend.com/2025/11/13/suspected-fortinet-zero-day-exploited-in-the-wild/
• https://www.rapid7.com/blog/post/etr-critical-vulnerability-in-fortinet-fortiweb-exploited-in-the-wild/
• https://x.com/watchtowrcyber/status/1989017336632996337
• https://x.com/DefusedCyber/status/1975242250373517373
• https://www.bleepingcomputer.com/news/security/fortiweb-flaw-with-public-poc-actively-exploited-to-create-admin-users/

Enjoyed reading this Threat Intelligence Advisory? Stay updated with our latest exclusive content by following us on Twitter and LinkedIn

No related posts found.