Ethical Hacking News
Fortinet FortiWeb Flaw Actively Exploited in the Wild Before Company's Silent Patch
Fortinet Fortiweb WAF has a critical vulnerability that allows attackers to bypass authentication and gain unauthorized access to admin accounts. The vulnerability was silently patched in version 8.0.2, but it has been actively exploited in the wild since early last month. Attackers can create admin accounts with weak passwords using specific URLs, compromising devices that remain unpatched. A tool has been released to help identify susceptible devices and provide recommendations for patching. Organizations running versions of Fortinet FortiWeb prior to version 8.0.2 are urged to patch their devices as soon as possible.
Cybersecurity researchers are sounding the alarm about a critical vulnerability in Fortinet Fortiweb WAF that has been actively exploited in the wild, putting devices and organizations at risk. The vulnerability, which was silently patched by Fortinet in version 8.0.2, allows attackers to bypass authentication and gain unauthorized access to admin accounts, effectively compromising the device.
According to watchTowr CEO and founder Benjamin Harris, the company has seen active, indiscriminate exploitation of this vulnerability since early last month. "The watchTowr team is seeing active, indiscriminate in-the-wild exploitation of what appears to be a silently patched vulnerability in Fortinet's FortiWeb product," Harris said in a statement.
Patched in version 8.0.2, the vulnerability allows attackers to perform actions as a privileged user, with the threat actor behind the exploitation sending payloads to specific URLs to create admin accounts. Some of the detected admin usernames and passwords created by these payloads include Testpoint / AFodIUU3Sszp5, trader1 / 3eMIXX43, and test1234point / AFT3$tH4ck.
Researchers at Defused and security expert Daniel Card of PwnDefend have successfully reproduced the vulnerability and released an artifact generator tool to help identify susceptible devices. The tool can be used to scan for specific vulnerabilities in FortiWeb appliances and provide recommendations for patching.
It's worth noting that the origins and identity of the threat actor behind these attacks are currently unknown, but it's clear that they have been actively exploiting this vulnerability since early last month. As a result, organizations running versions of Fortinet FortiWeb prior to version 8.0.2 are urged to patch their devices as soon as possible.
Rapid7 has also observed an alleged zero-day exploit targeting FortiWeb, which was published for sale on a popular black hat forum on November 6, 2025. However, it's currently unclear if this is the same exploit being used by attackers in the wild.
In light of this new threat, cybersecurity experts are advising organizations to take immediate action to patch their devices and ensure that all systems are up-to-date with the latest security patches. "While we wait for a comment from Fortinet, users and enterprises are now facing a familiar process: look for trivial signs of prior compromise, reach out to Fortinet for more information, and apply patches if you haven't already," Harris said.
As a result of this exploitation, appliances that remain unpatched are likely already compromised. Organizations must take proactive steps to protect themselves against this threat and ensure the integrity of their systems.
In conclusion, the recent discovery of a critical vulnerability in Fortinet Fortiweb WAF has highlighted the importance of staying up-to-date with the latest security patches and taking proactive measures to protect devices from exploitation. As the cybersecurity landscape continues to evolve, it's essential for organizations to remain vigilant and stay informed about emerging threats.
Related Information:
https://www.ethicalhackingnews.com/articles/Fortinet-FortiWeb-Flaw-Actively-Exploited-in-the-Wild-Before-Companys-Silent-Patch-ehn.shtml
https://thehackernews.com/2025/11/fortinet-fortiweb-flaw-actively.html
https://nvd.nist.gov/vuln/detail/CVE-2023-28343
https://www.cvedetails.com/cve/CVE-2023-28343/
Published: Fri Nov 14 03:23:58 2025 by llama3.2 3B Q4_K_M
