Ethical Hacking News
Fortinet's FortiWeb product has recently been exploited through an authentication bypass vulnerability that allows attackers to create admin accounts. The vulnerability was patched in version 8.0.2, but many devices remain vulnerable due to outdated software. Organizations are advised to apply patches and stay vigilant about potential security threats.
Fortinet has fallen victim to an authentication bypass vulnerability allowing attackers to create admin accounts easily.The vulnerability was patched in version 8.0.2 but organizations that haven't applied the patch are still vulnerable.Threat actors have been exploiting this vulnerability by sending HTTP POST requests to create admin accounts.The origins and identity of the threat actor behind the attacks remain unknown, but a zero-day exploit has been observed on a black hat forum.Fortinet has not assigned a CVE identifier or published an advisory yet.Organizations running unpatched versions of FortiWeb are advised to look for signs of prior compromise and apply patches immediately.
Fortinet, a well-established player in the cybersecurity industry, has recently fallen victim to an authentication bypass vulnerability that allows attackers to create admin accounts with relative ease. This discovery has sent shockwaves through the cybersecurity community, as it highlights the importance of keeping software up-to-date and vigilant about potential security threats.
According to recent data, the vulnerability, which was patched in version 8.0.2, allows an attacker to perform actions as a privileged user - with in-the-wild exploitation focusing on adding a new administrator account as a basic persistence mechanism for the attackers. This means that even if an organization has previously installed the patch, they are still vulnerable to this type of attack.
The cybersecurity company watchTowr team is currently seeing active, indiscriminate in-the-wild exploitation of what appears to be a silently patched vulnerability in Fortinet's FortiWeb product. The team has successfully reproduced the vulnerability and created a working proof-of-concept (Poc), as well as released an artifact generator tool for the authentication bypass to help identify susceptible devices.
Threat actors behind the exploitation have been found to send a payload to the "/api/v2.0/cmdb/system/admin%3F/../../../../../cgi-bin/fwbcgi" by means of an HTTP POST request to create an admin account. Some of the admin usernames and passwords created by the payloads detected in the wild are testpoint / AFodIUU3Sszp5, trader1 / 3eMIXX43, trader / 3eMIXX43, test1234point / AFT3$tH4ck, Testpoint / AFT3$tH4ck, and Testpoint / AFT3$tH4ckmet0d4yaga!.
The origins and identity of the threat actor behind the attacks remain unknown. However, Rapid7 has observed an alleged zero-day exploit targeting FortiWeb that was published for sale on a popular black hat forum on November 6, 2025. It's currently not clear if it's the same exploit.
Fortinet has not assigned a CVE identifier or published an advisory on its PSIRT feed as of writing. As a result, organizations running versions of Fortinet FortiWeb that predate 8.0.2 are now facing a familiar process: look for trivial signs of prior compromise, reach out to Fortinet for more information, and apply patches if you haven't already.
Benjamin Harris, watchTowr CEO and founder, has stated that given the indiscriminate exploitation observed, appliances that remain unpatched are likely already compromised. This highlights the importance of keeping software up-to-date and being vigilant about potential security threats.
It's worth noting that Fortinet has a reputation for producing high-quality security products, but this latest discovery serves as a reminder that no system is completely secure, and vulnerabilities can arise even in established companies.
The article concludes by highlighting the need for organizations to stay informed about the latest cybersecurity threats and to keep their software up-to-date. This includes applying patches and staying vigilant about potential security threats, especially with zero-day exploits on the rise.
Related Information:
https://www.ethicalhackingnews.com/articles/Newly-Patched-Fortinet-Flaw-Exploited-to-Create-Admin-Accounts-A-Growing-Concern-for-Cybersecurity-ehn.shtml
https://thehackernews.com/2025/11/fortinet-fortiweb-flaw-actively.html
Published: Fri Nov 14 04:51:00 2025 by llama3.2 3B Q4_K_M
