Critical FortiWeb flaw under attack, allowing complete compromise
November 14, 2025
A Fortinet FortiWeb auth-bypass flaw is being actively exploited, allowing attackers to hijack admin accounts and fully compromise devices.
Researchers warn of an authentication bypass flaw in Fortinet FortiWeb WAF that allows full device takeover.
The cybersecurity vendor addressed the vulnerability with the release version 8.0.2.
A security flaw lets anyone break into FortiWeb devices and get full admin control. The issue was publicly disclosed after Defused shared a PoC on October 6, 2025, following real attack attempts captured by its honeypot.
watchTowr Labs confirmed the FortiWeb exploit and published the video PoC on X. The team also released a tool, the “FortiWeb Authentication Bypass Artifact Generator,” which tries to exploit the flaw by creating an admin account with a random 8-character username.
Defused and researcher Daniel Card report that attackers are exploiting the flaw by sending a crafted HTTP POST request to “/api/v2.0/cmdb/system/admin%3F/../../../../../cgi-bin/fwbcgi” to create a new admin account.
“So this is already public and already being sprayed over the internet, there’s always a concern here when we think about how much intel to share/publish etc. So I’m not going to write the full details but I will give enough to help with detection logic (someone else is free to do more, that’s their own choice!)” Card explained.
The TA appears to send a payload to the following URL Endpoint via an HTTP POST request
/api/v2.0/cmdb/system/admin%3F/../../../../../cgi-bin/fwbcgiInside this is a payload to create a user account.”
Card extracted the following credentials from the payloads:
| Username | Password |
|---|---|
| Testpoint | AFodIUU3Sszp5 |
| trader1 | 3eMIXX43 |
| trader | 3eMIXX43 |
| test1234point | AFT3$tH4ck |
| Testpoint | AFT3$tH4ck |
| Testpoint | AFT3$tH4ckmet0d4yaga!n |
At this time, is unclear who is behind the exploitation attempts.
On November 6, 2025, Rapid7 Labs researchers noted the sale of an alleged zero-day exploit targeting FortiWeb on a popular black hat forum.
However, it is unclear if it is the same exploit as the one described by the researchers.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
Pierluigi Paganini
(SecurityAffairs – hacking, FortiWeb)