A serious flaw has been discovered in the web application firewall product FortiWeb by Fortinet. Attackers are exploiting it to create new administrator accounts on devices without any login credentials. This means someone could gain full control of the device simply by sending a specially crafted request. The issue was found on devices that have the management interface exposed to the internet.
The vulnerability works by using a path traversal request to reach a hidden CGI script on the device. Specifically, the request targets a path like /api/v2.0/cmdb/system/admin?/../../../../../cgi-bin/fwbcgi. When successful, this request triggers creation of a local administrator account. Researchers observed this method being used in real-world attacks. The ease of the exploit makes it especially dangerous.
What makes this incident even worse is that this exploit was actively used before the patch became widespread. Security teams observed global “spray campaigns” targeting many exposed FortiWeb appliances. Since a proof-of-concept became public, many more attackers could copy the method. The open-nature of the exploit means the window for damage is large.
Fortinet has released an update version 8.0.2 of FortiWeb which fixes the issue. Any device running an older version is vulnerable and should be upgraded immediately. Despite the fix being available, many organisations may still run unpatched versions, leaving them exposed. The presence of a public exploit makes urgency even greater.
In attacks seen so far, newly created admin user names include “Testpoint”, “trader1”, and “trader”. Observe that passwords such as “3eMIXX43” or “AFT3$tH4ckmet0d4yaga!n” were used in some cases. The source IP addresses used by attackers are varied, suggesting a broad campaign rather than targeted single-site attacks. This suggests many organisations globally may already be compromised.
For organisations using FortiWeb, immediate action is needed. First, check the version of your FortiWeb device if it is older than 8.0.2, plan to patch right away. Second, inspect the device for any unexpected administrator accounts or unusual configuration changes. Also review logs for POST requests to the path mentioned earlier that might signal exploitation.
In addition to patching and checking devices, access to the FortiWeb management interface should be restricted. Ideally, the interface should not be exposed to the public internet, but only accessible via trusted networks or VPN. Apply strong passwords, enable multi-factor authentication if supported, and monitor regularly for suspicious activity. These steps will reduce the chance of future exploitation.
In summary, this vulnerability poses a high risk because it bypasses authentication and allows full control of the device. If your organisation runs an internet-facing FortiWeb appliance and it has not yet been patched, assume you might be vulnerable or even already compromised. The fix is available patch now, inspect your device, restrict access, and stay vigilant.
Stay alert, and keep your security measures updated!
Source: Follow cybersecurity88 on X and LinkedIn for the latest cybersecurity news
