Critical FortiWeb flaw under attack, allowing complete compromise 2025-11-14 12:41:5 Author: securityaffairs.com(查看原文) 阅读量:5 收藏
Critical FortiWeb flaw under attack, allowing complete compromise
Pierluigi Paganini
November 14, 2025
A Fortinet FortiWeb auth-bypass flaw is being actively exploited, allowing attackers to hijack admin accounts and fully compromise devices.
Researchers warn of an authentication bypass flaw in Fortinet FortiWeb WAF that allows full device takeover.
The cybersecurity vendor addressed the vulnerability with the release version 8.0.2.
A security flaw lets anyone break into FortiWeb devices and get full admin control. The issue was publicly disclosed after Defused shared a PoC on October 6, 2025, following real attack attempts captured by its honeypot.
— Defused (@DefusedCyber) October 6, 2025⚠️Unknown Fortinet exploit (possibly a CVE-2022-40684 variant) from 64.95.13.8 🇺🇸 ( BLNWX )
VirusTotal Detections: 0/95 🟢
JWT payload translates into:
{
"username": "admin",
"profname": "prof_admin",
"vdom": "root",
"loginname": "admin"
} pic.twitter.com/IdTcdxBuBf
watchTowr Labs confirmed the FortiWeb exploit and published the video PoC on X. The team also released a tool, the “FortiWeb Authentication Bypass Artifact Generator,” which tries to exploit the flaw by creating an admin account with a random 8-character username.
Defused and researcher Daniel Card report that attackers are exploiting the flaw by sending a crafted HTTP POST request to “/api/v2.0/cmdb/system/admin%3F/../../../../../cgi-bin/fwbcgi” to create a new admin account.
“So this is already public and already being sprayed over the internet, there’s always a concern here when we think about how much intel to share/publish etc. So I’m not going to write the full details but I will give enough to help with detection logic (someone else is free to do more, that’s their own choice!)” Card explained.
The TA appears to send a payload to the following URL Endpoint via an HTTP POST request
/api/v2.0/cmdb/system/admin%3F/../../../../../cgi-bin/fwbcgiInside this is a payload to create a user account.”
Card extracted the following credentials from the payloads:
| Username | Password |
|---|---|
| Testpoint | AFodIUU3Sszp5 |
| trader1 | 3eMIXX43 |
| trader | 3eMIXX43 |
| test1234point | AFT3$tH4ck |
| Testpoint | AFT3$tH4ck |
| Testpoint | AFT3$tH4ckmet0d4yaga!n |
At this time, is unclear who is behind the exploitation attempts.
On November 6, 2025, Rapid7 Labs researchers noted the sale of an alleged zero-day exploit targeting FortiWeb on a popular black hat forum.
However, it is unclear if it is the same exploit as the one described by the researchers.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, FortiWeb)
如有侵权请联系:admin#unsafe.sh