A critical authentication bypass vulnerability in FortiWeb allows unauthenticated remote attackers to impersonate any existing user on affected systems.
The vulnerability, tracked as CVE-2025-52970 with a CVSS score of 7.7, affects multiple FortiWeb versions and stems from improper parameter handling in the cookie parsing mechanism.
Key Takeaways
1. CVE-2025-52970 lets attackers bypass authentication to log in as any user on FortiWeb systems.
2. FortiWeb 7.0-7.6 versions are vulnerable.
3. Attackers manipulate cookie parameters to force zero-filled encryption keys.
FortiWeb Out-of-Bounds Vulnerability
The vulnerability exploits an out-of-bounds read condition in FortiWeb’s cookie handling code, specifically affecting the CWE-233 improper handling of parameters.
During cookie parsing, the system uses an “Era” parameter to select encryption keys from a shared memory array without proper validation.
The FortiWeb session cookie contains three components: the Era (session type identifier), Payload (encrypted session data including username and role), and AuthHash (HMAC SHA1 signature).
By manipulating the Era parameter to values between 2 and 9, attackers can force the system to read uninitialized memory locations, potentially resulting in the use of null or zero-filled encryption keys.
This manipulation effectively reduces the cryptographic security to zero, as the probability of the key being all zeros changes from 1/2^n (normal circumstances) to 1 (guaranteed under exploitation).
The researcher Aviv Y demonstrated this with a proof-of-concept targeting the /api/v2.0/system/status.systemstatus endpoint, showing successful admin impersonation through crafted cookie requests.
| Risk Factors | Details |
| Affected Products | – FortiWeb 7.0.0 – 7.0.10- FortiWeb 7.2.0 – 7.2.10- FortiWeb 7.4.0 – 7.4.7- FortiWeb 7.6.0 – 7.6.3- FortiWeb 8.0: Not Affected |
| Impact | Authentication bypass |
| Exploit Prerequisites | – Non-public device information- Non-public targeted user information- Active user session during exploit- Brute-force validation number (~30 attempts) |
| CVSS 3.1 Score | 7.7 (High Severity) |
Mitigations
The vulnerability affects FortiWeb versions 7.0.0 through 7.0.10, 7.2.0 through 7.2.10, 7.4.0 through 7.4.7, and 7.6.0 through 7.6.3, while FortiWeb 8.0 remains unaffected.
Organizations must upgrade to patched versions: 7.0.11+, 7.2.11+, 7.4.8+, or 7.6.4+, respectively.
The exploit requires specific conditions, including knowledge of non-public device information and an active target user session during exploitation.
Attack complexity involves brute-forcing an unknown validation number through the refresh_total_logins() function, typically requiring fewer than 30 attempts with O(N) computational cost.
Security researcher Aviv Y, who discovered this vulnerability under responsible disclosure, developed a complete exploit chain utilizing the /ws/cli/open endpoint for CLI access.
Fortinet has already released a patch for the vulnerability; users are recommended to update their systems with the patches released yesterday.
Boost your SOC and help your team protect your business with free top-notch threat intelligence: Request TI Lookup Premium Trial.
Source link
