In October 2025, a previously unknown zero-day vulnerability in Fortinet’s FortiWeb Web Application Firewall (WAF) began being actively exploited in the wild. This critical flaw enables unauthenticated attackers to gain administrative access to FortiWeb devices via a specially crafted request to a vulnerable API endpoint. Security researchers from Defused Cyber, PwnDefend, and Rapid7 have confirmed exploitation, with public proof-of-concept (PoC) code already circulating online and being weaponized by threat actors. Despite no CVE being assigned yet, immediate mitigation is advised.
Severity: Critical
Vulnerability Details
- Discovered via honeypots deployed by Defused Cyber.
- The flaw appears to be a zero-day path traversal vulnerability in FortiWeb’s management interface, specifically targeting an HTTP POST endpoint:
/api/v2.0/cmdb/system/admin%3F/../../../../../cgi-bin/fwbcgi - This endpoint is abused to inject commands enabling creation of new admin-level local user accounts on the device – effectively bypassing authentication entirely.
- A PoC exploit was publicly demonstrated and confirmed functional against FortiWeb version 8.0.1, but fails against version 8.0.2, suggesting a possible silent patch.
Exploitation
- Attackers send POST requests to the API endpoint with malicious payloads.
- If successful, FortiWeb returns a 200 OK response and creates a user (e.g., “hax0r”).
- On devices running v8.0.2, the response is 403 Forbidden, indicating the vulnerability no longer exists or behavior has been altered.
- Usernames and Passwords Found in payloads:
| Username | Password |
| Testpoint | AFodIUU3Sszp5 |
| trader1 | 3eMIXX43 |
| trader | 3eMIXX43 |
| test1234point | AFT3$tH4ck |
| Testpoint | AFT3$tH4ck |
| Testpoint | AFT3$tH4ckmet0d4yaga!n |
Exploit Details
- PoC exploit demonstrated by WatchTowr show initial login failure, followed by payload submission, and finally successful login using newly created credentials.
- A black hat forum listed an exploit for FortiWeb on sale as of November 6, 2025.
- Attackers are spraying the exploit across the internet, especially where FortiWeb instances are exposed to the public.
Affected Versions
- Affected: FortiWeb v8.0.1 and earlier (susceptible to exploitation)
- Not affected: FortiWeb v8.0.2 (exploit appears ineffective)
- No official CVE or vendor advisory yet published as of November 14, 2025.
Recommendations
- Upgrade FortiWeb to v8.0.2 (public exploit fails on this version) or above.
- Continue monitoring Fortinet PSIRT advisory feed for official CVE and patch notice.
- As an interim measure, it is recommended to remove the FortiWeb management interface from public internet exposure. Restrict access to FortiWeb Manager to internal-only IPs or VPN tunnels
- Monitor creation of unexpected local admin users (e.g., hax0r, Testpoint, trader).
- Block the IOCs at their respective controls
https://www.virustotal.com/gui/collection/e0b64bdbefc221223dbf0aa16c3e5d6338ec26dd68810ca71f55309d477861f9/iocs
Source:
- https://www.pwndefend.com/2025/11/13/suspected-fortinet-zero-day-exploited-in-the-wild/
- https://www.rapid7.com/blog/post/etr-critical-vulnerability-in-fortinet-fortiweb-exploited-in-the-wild/
- https://x.com/watchtowrcyber/status/1989017336632996337
- https://x.com/DefusedCyber/status/1975242250373517373
- https://www.bleepingcomputer.com/news/security/fortiweb-flaw-with-public-poc-actively-exploited-to-create-admin-users/
Enjoyed reading this Threat Intelligence Advisory? Stay updated with our latest exclusive content by following us on Twitter and LinkedIn
No related posts found.