Key Findings

• A critical vulnerability in Fortinet's FortiWeb Web Application Firewall (WAF) product allows unauthenticated attackers to gain administrative-level access.

• The flaw has been observed actively exploited in the wild since October 2025.

• A public Proof-of-Concept (PoC) exploit exists, raising the likelihood of widespread exploitation.

• Organizations using vulnerable versions of FortiWeb are advised to take emergency remediation steps.

Background

• On October 6, 2025, cybersecurity firm Defused observed a PoC exploit targeting one of its FortiWeb Manager honeypots.

• The captured traffic showed an unauthenticated attacker sending a crafted HTTP POST request that resulted in the creation of a new administrator-level account on the FortiWeb Manager panel.

• Rapid7 subsequently tested the exploit against multiple versions of FortiWeb and found that the public PoC works reliably against version 8.0.1 (released in August 2025), but fails against the latest 8.0.2 release.

Escalation and Exploitation

• On November 6, 2025, Rapid7 Labs spotted an alleged FortiWeb zero-day exploit for sale on a popular black hat forum.

• It's unclear if this underground listing describes the same vulnerability discovered by Defused, but the timing is concerning.

• No official Fortinet PSIRT advisory or CVE identifier has been published for this issue yet.

Indicators of Compromise (IoCs)

• Unusual admin account creation: New FortiWeb administrator accounts with generic or "Testpoint" usernames should be investigated.

• Odd POST requests to FortiWeb management APIs: Look for POSTs to rarely used configuration endpoints, especially those related to system administration or account management.

• CLI/Websocket activity from untrusted IPs: Any websocket CLI sessions or admin login attempts from unexpected external IPs are a red flag.

Recommendations

• Organizations running FortiWeb versions prior to 8.0.2 are strongly advised to update to the latest 8.0.2 release as an emergency measure.

• Security teams may want to run detection tooling, such as the one released by WatchTowr, in a controlled environment to check if their specific builds are exploitable.

• Defenders should closely monitor for signs of suspicious activity outlined in the IoCs section.

Sources

• https://securityonline.info/zero-day-attack-warning-fortinet-fortiweb-exploit-grants-unauthenticated-admin-access/

• https://thehackernews.com/2025/11/fortinet-fortiweb-flaw-actively.html

• https://x.com/catnap707/status/1989167844941263074

• https://x.com/fridaysecurity/status/1989166375122956657