Fortinet FortiWeb Flaw Actively Exploited in the Wild Before Company’s...

Description

Cybersecurity researchers are sounding the alert about an authentication bypass vulnerability in Fortinet Fortiweb WAF that could allow an attacker to take over admin accounts and completely compromise a device.

"The watchTowr team is seeing active, indiscriminate in-the-wild exploitation of what appears to be a silently patched vulnerability in Fortinet's FortiWeb product," Benjamin Harris, watchTowr CEO and founder, said in a statement.

"Patched in version 8.0.2, the vulnerability allows attackers to perform actions as a privileged user - with in-the-wild exploitation focusing on adding a new administrator account as a basic persistence mechanism for the attackers."

DFIR Retainer Services

The cybersecurity company said it was able to successfully reproduce the vulnerability and create a working proof-of-concept (Poc). It has also released an artifact generator tool for the authentication bypass to help identify susceptible devices.

According to details shared by Defused and security researcher Daniel Card of PwnDefend, the threat actor behind the exploitation has been found to send a payload to the "/api/v2.0/cmdb/system/admin%3F/../../../../../cgi-bin/fwbcgi" by means of an HTTP POST request to create an admin account.

Some of the admin usernames and passwords created by the payloads detected in the wild are below -

* Testpoint / AFodIUU3Sszp5
* trader1 / 3eMIXX43
* trader / 3eMIXX43
* test1234point / AFT3$tH4ck
* Testpoint / AFT3$tH4ck
* Testpoint / AFT3$tH4ckmet0d4yaga!n

The origins and identity of the threat actor behind the attacks remain unknown. The exploitation activity was first detected early last month. As of writing, Fortinet has not assigned a CVE identifier or published an advisory on its PSIRT feed.

CIS Build Kits

The Hacker News has reached out to Fortinet for comment, and we will update the story if we hear back.

Rapid7, which is urging organizations running versions of Fortinet FortiWeb that predate 8.0.2 to address the vulnerability on an emergency basis, said it observed an alleged zero-day exploit targeting FortiWeb was published for sale on a popular black hat forum on November 6, 2025. It's currently not clear if it's the same exploit.

"While we wait for a comment from Fortinet, users and enterprises are now facing a familiar process now: look for trivial signs of prior compromise, reach out to Fortinet for more information, and apply patches if you haven't already," Harris said. "That said, given the indiscriminate exploitation observed [...], appliances that remain unpatched are likely already compromised."

Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post.

Visit Original Source

Basic Information

ID THN:ACE9DE806577C8B46F499CA538D1D918

Published Nov 14, 2025 at 09:00

{
    "lastseen": "2025-11-14T09:08:31",
    "description": "![](data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAQAAAC1HAwCAAAAC0lEQVR42mP8Xw8AAoMBgDTD2qgAAAAASUVORK5CYII=)\n\nCybersecurity researchers are sounding the alert about an authentication bypass vulnerability in Fortinet Fortiweb WAF that could allow an attacker to take over admin accounts and completely compromise a device.\n\n\"The watchTowr team is seeing active, indiscriminate in-the-wild exploitation of what appears to be a silently patched vulnerability in Fortinet's FortiWeb product,\" Benjamin Harris, watchTowr CEO and founder, said in a statement.\n\n\"Patched in version 8.0.2, the vulnerability allows attackers to perform actions as a privileged user - with in-the-wild exploitation focusing on adding a new administrator account as a basic persistence mechanism for the attackers.\"\n\n![DFIR Retainer Services](data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAQAAAC1HAwCAAAAC0lEQVR42mP8Xw8AAoMBgDTD2qgAAAAASUVORK5CYII=)\n\nThe cybersecurity company said it was able to successfully reproduce the vulnerability and create a working proof-of-concept (Poc). It has also released an artifact generator tool for the authentication bypass to help identify susceptible devices.\n\nAccording to details shared by Defused and security researcher Daniel Card of PwnDefend, the threat actor behind the exploitation has been found to send a payload to the \"/api/v2.0/cmdb/system/admin%3F/../../../../../cgi-bin/fwbcgi\" by means of an HTTP POST request to create an admin account.\n\nSome of the admin usernames and passwords created by the payloads detected in the wild are below -\n\n  * Testpoint / AFodIUU3Sszp5\n  * trader1 / 3eMIXX43\n  * trader / 3eMIXX43\n  * test1234point / AFT3$tH4ck\n  * Testpoint / AFT3$tH4ck\n  * Testpoint / AFT3$tH4ckmet0d4yaga!n\n\n\n\nThe origins and identity of the threat actor behind the attacks remain unknown. The exploitation activity was first detected early last month. As of writing, Fortinet has not assigned a CVE identifier or published an advisory on its PSIRT feed.\n\n![CIS Build Kits](data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAQAAAC1HAwCAAAAC0lEQVR42mP8Xw8AAoMBgDTD2qgAAAAASUVORK5CYII=)\n\nThe Hacker News has reached out to Fortinet for comment, and we will update the story if we hear back.\n\nRapid7, which is urging organizations running versions of Fortinet FortiWeb that predate 8.0.2 to address the vulnerability on an emergency basis, said it observed an alleged zero-day exploit targeting FortiWeb was published for sale on a popular black hat forum on November 6, 2025. It's currently not clear if it's the same exploit.\n\n\"While we wait for a comment from Fortinet, users and enterprises are now facing a familiar process now: look for trivial signs of prior compromise, reach out to Fortinet for more information, and apply patches if you haven't already,\" Harris said. \"That said, given the indiscriminate exploitation observed [...], appliances that remain unpatched are likely already compromised.\"\n\nFound this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post.\n",
    "published": "2025-11-14T09:00:00",
    "modified": "2025-11-14T09:00:41",
    "type": "thn",
    "title": "Fortinet FortiWeb Flaw Actively Exploited in the Wild Before Company's Silent Patch",
    "source": "",
    "references": "",
    "id": "THN:ACE9DE806577C8B46F499CA538D1D918",
    "bulletinFamily": "info",
    "cwe": null,
    "cvelist": [],
    "sourceData": "",
    "sourceHref": "",
    "cvss": {
        "score": 0,
        "severity": "NONE",
        "vector": "NONE",
        "version": "NONE"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "https://thehackernews.com/2025/11/fortinet-fortiweb-flaw-actively.html",
    "category_name": "News",
    "post_link": "",
    "product": "",
    "version": "",
    "vendor": "",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Fortinet FortiWeb Flaw Actively Exploited in the Wild Before Company’s Silent Patch_THN:ACE9DE806577C8B46F499CA538D1D918

Description

Basic Information

💭 Join the Security Discussion ❌ Cancel Reply