Threat actors are actively exploiting a critical authentication bypass vulnerability in Fortinet’s FortiWeb web application firewall (WAF) worldwide, prompting defenders to heighten vigilance.
Researchers at watchTowr Labs have responded by releasing a Detection Artefact Generator script, designed to help organizations scan their environments for vulnerable FortiWeb appliances and mitigate risks swiftly.
The vulnerability, tracked as CVE-2025-52970, stems from improper parameter handling in FortiWeb, enabling unauthenticated remote attackers to log in as any existing user via crafted requests.
With a CVSS score of 7.7, it requires some non-public knowledge of the device but poses severe risks, including privilege escalation and potential remote code execution on affected systems.
Fortinet patched the flaw in versions 8.0.2 and later, but in-the-wild attacks have surged since a partial proof-of-concept surfaced publicly in August 2025, targeting exposed FortiWeb instances indiscriminately.
Security firms report dozens of compromises, underscoring the urgency for immediate patching amid ongoing exploitation campaigns.
WatchTowr Labs’ open-source tool, hosted on GitHub at watchTowr-vs-Fortiweb-AuthBypass, simplifies detection by simulating the bypass mechanism. The Python script generates a unique username and password (e.g., “35f36895”) and sends an exploit payload to the target IP, such as python watchTowr-vs-Fortiweb-AuthBypass.py 192.168.1.99.
If successful, it confirms vulnerability by creating a temporary user, alerting administrators to remediate. Authored by Sina Kheirkhah (@SinSinology) and Jake Knott (@inkmoro), the script targets FortiWeb versions below 8.0.2, with specifics available via FortiGuard Labs PSIRT.
Organizations should prioritize scanning internet-facing appliances, applying patches, and monitoring for anomalous logins. As supply chain attacks evolve, tools like this empower proactive defense in a threat landscape where WAFs ironically become entry points.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
