Ethical Hacking News
A recent vulnerability in FortiWeb has left users vulnerable to full authentication bypass due to an out-of-bounds read in FortiWeb's cookie parsing.
FortiWeb web application firewall (WAF) has a critical vulnerability that allows remote attackers to bypass authentication. The vulnerability, CVE-2025-52970, is an out-of-bounds read in FortiWeb's cookie parsing. The exploit requires the target user to have an active session and the attacker to brute-force a small numeric field in the cookie. The vulnerability was fixed in versions 7.6.4 and later, but a partial proof-of-concept (PoC) exploit has already been released. Immediate action must be taken to mitigate the issue, as hackers closely follow announcements and may release full POCs soon.
The security landscape is constantly evolving, and researchers are continually uncovering new vulnerabilities that can be exploited by malicious actors. One such vulnerability has been identified in the FortiWeb web application firewall (WAF), which has left users vulnerable to full authentication bypass. In this article, we will delve into the details of this vulnerability, its implications, and what steps can be taken to mitigate it.
A recent report from security researcher Aviv Y revealed a partial proof-of-concept (PoC) exploit for CVE-2025-52970, a critical vulnerability in FortiWeb that allows remote attackers to bypass authentication. The researcher reported the flaw responsibly to Fortinet, the manufacturer of FortiWeb, and it has now been fixed in versions 7.6.4 and later.
The vulnerability is technically an out-of-bounds read in FortiWeb's cookie parsing that lets an attacker set the Era parameter to an unexpected value. This causes the server to use an all-zero secret key for session encryption and HMAC signing, making forged authentication cookies trivial to create. In essence, an attacker can exploit this vulnerability to impersonate any active user, including administrators.
To exploit CVE-2025-52970 successfully, the target user must have an active session during the attack, and the adversary must brute-force a small numeric field in the cookie. The brute-forcing requirement comes from a field in the signed cookie that is validated by the function refresh_total_logins() (in libncfg.so). This field is an unknown number that the attacker must guess, but the researcher notes that the range is usually not above 30, making it a tiny search space of roughly 30 requests.
Because the exploit uses the all-zero key (due to the Era bug), each guess can be tested instantly by checking if the forged cookie is accepted. This means that attackers do not need to waste time searching for the correct numeric value, as they can simply try every possible value within the narrow range until they find one that works.
The issue impacts FortiWeb 7.0 to 7.6, and it was fixed in versions 7.6.4 and later. However, researchers have already released a PoC exploit for CVE-2025-52970, which demonstrates the core of the issue but does not provide the complete exploitation details.
Aviv Y, the researcher who identified the vulnerability, has promised to publish the complete exploitation details later. This decision was made to allow system administrators more time to apply the fix before a full PoC exploit is released. The published details demonstrate the core of the issue but are not enough for even knowledgeable attackers to infer the rest and develop a full weaponized chain.
Despite this, immediate action must be taken to mitigate the issue as hackers follow these announcements closely and get ready to pull the trigger when full POCs are out. Aviv Y emphasized that attackers would have to reverse-engineer the format of the fields in the session, which is impractical given that Fortinet has its own data structures.
The vulnerability highlights the importance of regular security audits and updates. As with any software application, vulnerabilities can arise from various sources, including coding errors or design flaws. It is crucial for organizations to stay vigilant and apply patches as soon as they are released to protect against potential threats.
In conclusion, CVE-2025-52970 presents a critical vulnerability in FortiWeb that can be exploited by remote attackers to bypass authentication. The researcher's decision to release a partial PoC exploit first demonstrates the urgency of this issue and highlights the need for immediate action. By understanding the details of this vulnerability, organizations can take necessary steps to protect themselves against potential attacks.
A recent vulnerability in FortiWeb has left users vulnerable to full authentication bypass due to an out-of-bounds read in FortiWeb's cookie parsing.
Related Information:
https://www.ethicalhackingnews.com/articles/A-Critical-Vulnerability-in-FortiWeb-Web-Application-Firewall-Exposes-Users-to-Full-Authentication-Bypass-ehn.shtml
https://www.bleepingcomputer.com/news/security/researcher-to-release-exploit-for-full-auth-bypass-on-fortiweb/
https://pwner.gg/blog/2025-08-13-fortiweb-cve-2025-52970
https://nvd.nist.gov/vuln/detail/CVE-2025-52970
https://www.cvedetails.com/cve/CVE-2025-52970/
Published: Sat Aug 16 16:21:33 2025 by llama3.2 3B Q4_K_M
