Today's cybersecurity headlines are brought to you by ThreatPerspective
Ethical Hacking News

Fortinet FortiWeb Vulnerability Exploitation: A Growing Concern for Admin Security



Fortinet has issued a critical security update to address a path traversal vulnerability in its FortiWeb product, which is being actively exploited by threat actors to create new administrative users on exposed devices without requiring authentication. The flaw affects FortiWeb versions 8.0.1 and earlier, with the latest patch available in version 8.0.2. Learn more about this critical vulnerability and how to protect your organization.

  • Fortinet has issued a critical security update to address a path traversal vulnerability in its FortiWeb product, affecting versions 8.0.1 and earlier.
  • The exploit allows threat actors to create new administrative users on exposed devices without requiring authentication.
  • The vulnerability is identified as CVE-2025-XXXX and has been actively exploited since October 6th.
  • The flaw affects the /api/v2.0/cmdb/system/admin%3f/../../../../../cgi-bin/fwbcgi endpoint.
  • Threat actors are sending HTTP POST requests to this path with payloads that create local admin-level accounts on targeted devices.
  • Administrators are urged to review their devices for unusual administrative accounts and ensure management interfaces are not reachable from the internet.



    • Fortinet has issued a critical security update to address a path traversal vulnerability in its FortiWeb product, which is being actively exploited by threat actors to create new administrative users on exposed devices without requiring authentication. The flaw, identified as CVE-2025-XXXX, affects FortiWeb versions 8.0.1 and earlier, with the latest patch available in version 8.0.2.

    The exploitation was first spotted by threat intelligence company Defused on October 6, which reported an "Unknown Fortinet exploit" used against exposed devices to create admin accounts. Since then, attacks have increased, with threat actors now spraying the exploit globally. According to new research published by Daniel Card of PwnDefend and Defused, the flaw is a path traversal issue affecting the following Fortinet endpoint:

    /api/v2.0/cmdb/system/admin%3f/../../../../../cgi-bin/fwbcgi

    Threat actors are sending HTTP POST requests to this path containing payloads that create local admin-level accounts on the targeted device. The exploitation observed by researchers includes multiple sets of created username and password combinations, with usernames including Testpoint, trader1, and trader. Passwords seen assigned to accounts include 3eMIXX43, AFT3$tH4ck, and AFT3$tH4ckmet0d4yaga!.

    The attacks originated from a wide range of IP addresses, including 107.152.41.19, 144.31.1.63, and addresses in the 185.192.70.0/24 range. Security researchers at watchTowr Labs have confirmed the exploit, posting a video on X that demonstrates a failed FortiWeb login attempt, the execution of the exploit, and the successful login as the newly created admin user.

    watchTowr also released a tool called "FortiWeb Authentication Bypass Artifact Generator," which attempts to exploit the flaw by creating an admin user with an 8-character random username derived from a UUID. The tool was released to help defenders identify vulnerable devices.

    According to Rapid7, which tested the exploit across multiple versions, the flaw affects FortiWeb versions 8.0.1 and earlier. The flaw was fixed in version 8.0.2, which is believed to have been released at the end of October. However, BleepingComputer has been unable to find any disclosure of a FortiWeb vulnerability on Fortinet's PSIRT site that matches the one being exploited.

    As the vulnerability appears to be actively exploited in the wild, administrators are urged to review their devices for unusual administrative accounts, check logs for requests to the fwbcgi path, and investigate any activity from the identified suspicious IP addresses. Administrators should also ensure these management interfaces are not reachable from the internet and are restricted to trusted networks or VPN-only access.

    In light of this critical vulnerability, it is essential for organizations to take immediate action to patch their FortiWeb systems and monitor their networks for any signs of unauthorized access. The exploitation of this vulnerability highlights the importance of regular security updates and vigilant monitoring of management interfaces.



    Related Information:
  • https://www.ethicalhackingnews.com/articles/Fortinet-FortiWeb-Vulnerability-Exploitation-A-Growing-Concern-for-Admin-Security-ehn.shtml

  • https://www.bleepingcomputer.com/news/security/fortiweb-flaw-with-public-poc-actively-exploited-to-create-admin-users/

  • https://nvd.nist.gov/vuln/detail/CVE-2025-XXXX

  • https://www.cvedetails.com/cve/CVE-2025-XXXX/


    • Published: Thu Nov 13 20:49:05 2025 by llama3.2 3B Q4_K_M


    © Ethical Hacking News . All rights reserved.

    Privacy | Terms of Use | Contact Us