Full Report
Cybersecurity researchers are sounding the alert about an authentication bypass vulnerability in Fortinet Fortiweb WAF that could allow an attacker to take over admin accounts and completely compromise a device. "The watchTowr team is seeing active, indiscriminate in-the-wild exploitation of what appears to be a silently patched vulnerability in Fortinet's FortiWeb product," Benjamin Harris,
Analysis Summary
# Vulnerability: Fortinet FortiWeb Authentication Bypass Leading to Admin Takeover
## CVE Details
- CVE ID: Not assigned at time of reporting (Silently patched)
- CVSS Score: Unknown (Likely High/Critical due to admin takeover)
- CWE: Unknown (Likely IDOR or Improper Authorization)
## Affected Systems
- Products: Fortinet FortiWeb WAF
- Versions: Versions prior to 8.0.2
- Configurations: All configurations appear susceptible if running vulnerable firmware.
## Vulnerability Description
This is an authentication bypass vulnerability residing in the FortiWeb WAF. Successful exploitation allows an unauthenticated attacker to perform actions as a privileged user, most critically, adding a new administrator account to the device for persistence. The attack is executed via an HTTP POST request targeting the endpoint: `/api/v2.0/cmdb/system/admin%3F/../../../../../cgi-bin/fwbcgi`.
## Exploitation
- Status: Exploited in the wild (Active, indiscriminate exploitation observed)
- Complexity: Low (A working Proof-of-Concept (PoC) artifact generator tool has been released by researchers.)
- Attack Vector: Network
## Impact
- Confidentiality: High (Potential for full device compromise allows access to security policy configurations and potentially sensitive traffic data if the WAF is inline.)
- Integrity: High (Full administrative access allows attackers to modify device settings, add backdoors, or change security policies.)
- Availability: High (Potential for full device compromise and disruption of WAF service.)
## Remediation
### Patches
- Fortinet released a fix in **version 8.0.2**.
### Workarounds
- Organizations are urged to apply patches on an emergency basis.
- Monitor for signs of compromise, especially the addition of unknown administrator accounts.
## Detection
- Indicators of Compromise: Presence of newly created administrative accounts within the FortiWeb interface, specifically usernames like `Testpoint`, `trader1`, or `trader` with associated passwords noted in the wild payloads.
- Detection methods and tools: Focus on monitoring HTTP POST traffic to the specific API path mentioned above (`/api/v2.0/cmdb/system/admin...`) for unauthorized requests. Analysis of FortiWeb logs for unusual admin creation events. Researchers from watchTowr have released an artifact generator tool to help identify susceptible targets.
## References
- Vendor advisory: None published by Fortinet PSIRT at the time of reporting (vulnerability was silently patched).
- Relevant links:
- watchTowr Research & PoC: hxxps://github.com/watchtowrlabs/watchTowr-vs-Fortiweb-AuthBypass
- Defused/PwnDefend analysis: hxxps://www.pwndefend.com/2025/11/13/suspected-fortinet-zero-day-exploited-in-the-wild/
- Rapid7 Alert: hxxps://www.rapid7.com/blog/post/etr-critical-vulnerability-in-fortinet-fortiweb-exploited-in-the-wild/