Critical FortiWeb Vulnerability Exploited in Cyberattacks

A critical authentication bypass vulnerability in Fortinet FortiWeb web application firewall is being actively exploited by attackers to compromise devices and establish unauthorized administrator access. The security flaw, which was silently patched in FortiWeb version 8.0.2, allows threat actors to bypass authentication mechanisms and perform privileged actions without legitimate credentials.

Cybersecurity firm watchTowr first detected the widespread exploitation campaign and successfully reproduced the vulnerability in laboratory conditions. The company has since released detection tools to help organizations identify compromised systems. Security researcher Daniel Card of PwnDefend and threat intelligence firm Defused independently documented active attack attempts beginning in early October 2025.

The attack methodology involves sending specially crafted HTTP POST requests to a specific API endpoint that exploits a path traversal vulnerability. Attackers target the endpoint /api/v2.0/cmdb/system/admin with malicious payloads containing encoded commands that create new administrator accounts. Once these accounts are established, attackers gain complete control over the affected FortiWeb device.

Analysis of captured attack traffic reveals multiple attacker-created accounts with usernames including Testpoint, trader, trader1, and test1234point, paired with various passwords. The most recent documented attack attempt originated from IP address 64.95.13.8 on October 6, 2025, targeting a FortiWeb device and attempting to create an administrator account with the username kick. At the time of detection, major antivirus engines failed to identify the malicious payload, with VirusTotal showing zero detections across 95 security vendors.

The vulnerability correlates with Bug 1198193 documented in Fortinet’s version 8.0.2 release notes, which describes an SSH login authentication issue affecting local administrator accounts. While the release notes attributed the problem to improper handling of authentication return values, the actual exploitation reveals a more severe authentication bypass condition that extends beyond SSH access.

Fortinet has not issued a formal security advisory or assigned a CVE identifier for this vulnerability despite active exploitation. The company’s Product Security Incident Response Team has not published guidance on its official channels, leaving many organizations unaware of the risk. Fortinet has not responded to requests for comment from security researchers and media outlets.

Cybersecurity firm Rapid7 issued an emergency recommendation urging all organizations running FortiWeb versions prior to 8.0.2 to apply patches immediately. The firm warns that given the indiscriminate nature of the exploitation observed across the internet, any unpatched FortiWeb appliance should be considered potentially compromised.

Evidence suggests a zero-day exploit for this vulnerability was advertised for sale on underground forums on November 6, 2025, though it remains unclear whether this offering represents the same exploit being used in the wild or a separate attack vector. The threat actor responsible for the current exploitation campaign has not been identified, and their objectives beyond establishing persistent administrative access remain unknown.

Organizations operating FortiWeb devices should immediately verify they are running version 8.0.2 or later. Administrators should audit all user accounts for unauthorized entries, particularly those matching the known malicious account names. System logs should be reviewed for suspicious API requests to the admin configuration endpoints. Any signs of compromise require immediate incident response procedures including credential rotation, forensic investigation, and potential device reimaging.

The FortiWeb vulnerability represents the latest in a series of security incidents affecting Fortinet products. The company’s network security appliances are widely deployed across enterprise networks, government agencies, and critical infrastructure, making them attractive targets for sophisticated threat actors. The silent patching approach without public disclosure has drawn criticism from the cybersecurity community for potentially leaving customers vulnerable during the window between patch release and widespread awareness.