Cybersecurity researchers have warned that the Fortinet Fortiweb WAF has an authentication bypass vulnerability that could allow an attacker to take over the administrator account and fully compromise the device.
“The watchTowr team has observed active and indiscriminate field exploitation of vulnerabilities that appear to have been silently patched in Fortinet’s FortiWeb products,” Benjamin Harris, CEO and founder of watchTowr, said in a statement.
“This vulnerability, patched in version 8.0.2, allows an attacker to perform actions as a privileged user. The actual exploit focuses on adding a new administrator account as the basic persistence mechanism for the attacker.”
The cybersecurity firm said it was able to reproduce the vulnerability and create a working proof of concept (POC). We also released an authentication bypass artifact generation tool to help identify susceptible devices.
According to details shared by PwnDefend’s Defused and security researcher Daniel Card, the attacker behind this exploit was found to be sending a payload to “/api/v2.0/cmdb/system/admin%3F/../../../../../cgi-bin/fwbcgi” via an HTTP POST request to create an administrator account.
Some of the administrator usernames and passwords created by payloads detected in the wild are:
Test point / AFodIUU3Sszp5 trader1 / 3eMIXX43 trader / 3eMIXX43 test1234point / AFT3$tH4ck test point / AFT3$tH4ck test point / AFT3$tH4ckmet0d4yaga!n
The origin and identity of the attackers behind the attack remain unknown. The exploit was first detected early last month. At the time of writing, Fortinet has not assigned a CVE identifier or published any advisories to the PSIRT feed.
Hacker News has reached out to Fortinet for comment and will update the article if we hear back.
Rapid7, which is calling on organizations running Fortinet FortiWeb versions earlier than 8.0.2 to urgently address this vulnerability, said it has confirmed that a suspected zero-day exploit targeting Fortinet was marketed on a popular blackhat forum on November 6, 2025. It is not clear at this time whether this is the same exploit.
“While we await comment from Fortinet, users and businesses are now faced with the familiar process of looking for subtle signs of a previous breach, contacting Fortinet for more information, and patching them if they haven’t already done so,” Harris said. “However, given the observed indiscriminate exploitation; […]An unpatched appliance may already be compromised. ”
Source link
