ZERO-DAY ATTACK WARNING: Fortinet FortiWeb Exploit Grants Unauthenticated Admin Access!

Cybersecurity firms are sounding the alarm over a critical vulnerability in Fortinet FortiWeb, the company’s Web Application Firewall (WAF) product. The flaw, which has been observed actively exploited in the wild since October 2025, allows an attacker with no existing access to instantly gain administrator-level control of the FortiWeb Manager panel.

Organizations using vulnerable versions of FortiWeb are advised to take emergency remediation steps, as the existence of a public Proof-of-Concept (PoC) exploit means broad exploitation is highly likely.

The story begins on October 6, 2025, when cyber-deception company Defused observed a proof-of-concept (PoC) exploit striking one of its FortiWeb Manager honeypots. The captured traffic showed an unauthenticated attacker sending a crafted HTTP POST request that ultimately resulted in the creation of a new administrator-level account on the FortiWeb Manager panel, with instant access to the websocket CLI.

Rapid7 subsequently tested the exploit against multiple versions of FortiWeb:

The public PoC works reliably against FortiWeb 8.0.1 (released in August 2025).
The same exploit fails against the latest FortiWeb 8.0.2 release.

What’s not clear yet is why it fails on 8.0.2. Without a vendor advisory, researchers can’t confirm whether Fortinet silently fixed the vulnerability or whether the exploit was simply broken as a side-effect of unrelated changes.

The situation escalated further on November 6, 2025, when Rapid7 Labs spotted an alleged FortiWeb zero-day exploit for sale on a popular black hat forum. At the time of writing, it’s unknown whether that underground listing describes the same bug Defused caught in its honeypots, but the timing is hard to ignore.

FortiWeb Auth Bypass, Unauthenticated Admin Takeover — Image: Rapid7

At present, no official Fortinet PSIRT advisory or CVE identifier had been published for this particular issue.

While technical details are still limited, defenders can start hunting for suspicious activity based on what’s known:

Unusual admin account creation: New FortiWeb administrator accounts appearing suddenly, especially with generic or “Testpoint” usernames, should be investigated immediately.
Odd POST requests to FortiWeb management APIs: Look for POSTs to rarely used configuration endpoints on the management interface, particularly those associated with system administration or account management.
CLI/Websocket activity from untrusted IPs: Any websocket CLI sessions or admin login attempts from unexpected external IPs are a red flag.

WatchTowr has reproduced the exploit and released a script that can check whether a given FortiWeb instance behaves in a way consistent with the authentication bypass.

another exploited in-the-wild FortiWeb vuln? It must be Thursday! pic.twitter.com/F9TQgdJQ4l

— watchTowr (@watchtowrcyber) November 13, 2025

Organizations with strong change control may want to run such detection tooling in a lab or controlled environment to validate whether their specific builds are exploitable, while awaiting official vendor guidance.

Organizations running versions of FortiWeb that pre-date 8.0.2 are strongly advised to remediate on an emergency basis by updating to FortiWeb version 8.0.2.

Update:

Fortinet releases a security advisory for this flaw. Track as CVE-2025-64446 (CVSS 9.1), a relative path traversal vulnerability in Fortinet FortiWeb 8.0.0 through 8.0.1, FortiWeb 7.6.0 through 7.6.4, FortiWeb 7.4.0 through 7.4.9, FortiWeb 7.2.0 through 7.2.11, FortiWeb 7.0.0 through 7.0.11 may allow an attacker to execute administrative commands on the system via crafted HTTP or HTTPS requests.

2/5 - (2 votes)

Related Posts:

Found this helpful?

Leave a Reply Cancel reply