Full Report
A security researcher has released a partial proof of concept exploit for a vulnerability in the FortiWeb web application firewall that allows a remote attacker to bypass authentication. [...]
Analysis Summary
# Vulnerability: FortiWeb Authentication Bypass Leading to Administrator Impersonation
## CVE Details
- CVE ID: **CVE-2025-52970** (Inferred; based on vendor advisory reference)
- CVSS Score: **7.7 (High)** (Stated vendor score, though noted as potentially deceptive)
- CWE: Not explicitly listed, but relates to Authentication Bypass/Session Management issues.
## Affected Systems
- Products: FortiWeb
- Versions: 7.0 through 7.6 (Specifically 7.0.x, 7.2.x, 7.4.x, and 7.6.x prior to fix versions)
- Configurations: All applicable versions noted above. FortiWeb 8.0 releases are **not** impacted.
## Vulnerability Description
The vulnerability is an Authentication Bypass flaw in FortiWeb that allows an attacker to impersonate an administrator. While the vendor's initial severity rating suggests a high attack complexity due to required brute-forcing, the researcher notes the brute-forcing aspect is relatively simple and quick in practice. A Proof of Concept (PoC) output demonstrated successful admin impersonation on a REST endpoint. The full exploit chain also includes access to the `/ws/cli/open` endpoint, suggesting potential remote command execution or full administrative control.
## Exploitation
- Status: **PoC available** (Partial PoC showing admin impersonation on a REST endpoint has been shared by the researcher)
- Complexity: **Medium** (Vendor states High complexity due to brute-forcing requirement, but researcher indicates the brute-forcing is simple/quick.)
- Attack Vector: Likely **Network** access to the affected FortiWeb appliance endpoints.
## Impact
- Confidentiality: **High** (Implied, due to administrative access)
- Integrity: **High** (Implied, due to administrative access)
- Availability: **High** (Implied, due to administrative access)
## Remediation
### Patches
The issue is fixed in the following versions:
- FortiWeb **7.6.4** and later
- FortiWeb **7.4.8** and later
- FortiWeb **7.2.11** and later
- FortiWeb **7.0.11** and later
### Workarounds
- The vendor security bulletin **lists no workarounds or mitigation advice**. Upgrading to a fixed version is the only recommended effective action.
## Detection
- **Indicators of Compromise:** Look for unusual activity related to REST endpoints or access attempts to the `/ws/cli/open` endpoint that are not legitimate administrative actions. The PoC demonstrates successful session manipulation/admin impersonation.
- **Detection Methods and Tools:** Monitor network traffic and appliance logs for unusual session handling or repeated failed login attempts that might indicate brute-forcing activity preceding a successful bypass.
## References
- Vendor advisory: `fortiguard.com/psirt/FG-IR-25-448` (Defanged: hXXps://www.fortiguard.com/psirt/FG-IR-25-448)
- Researcher PoC output: `pwner.gg/blog/2025-08-13-fortiweb-cve-2025-52970` (Defanged: hXXps://pwner.gg/blog/2025-08-13-fortiweb-cve-2025-52970)