A significant vulnerability in Fortinet’s FortiWeb Web Application Firewall has come to light, being actively exploited by threat actors potentially as a zero-day attack vector. This flaw enables unauthenticated attackers to gain administrator-level access to the FortiWeb Manager and WebSocket command-line interface. The first indication of this vulnerability was through a proof-of-concept exploit shared by cyber deception firm Defused on October 6, 2025, following their honeypot capture of real-world attacks.
Security testing by Rapid7 confirmed that the exploit effectively creates unauthorized admin accounts on vulnerable versions, revealing significant response differences between affected and patched versions. Notably, a successful exploit on FortiWeb version 8.0.1 returns an HTTP 200 OK response, while version 8.0.2, released later, responds with a 403 Forbidden error. This underscores the urgency for organizations on older versions to prioritize updates or risk full device compromise and lateral movement within networks. Moreover, recent reports indicate the presence of an alleged zero-day exploit for FortiWeb for sale on a black hat forum.
The lack of official guidance or a CVE identifier from Fortinet raises concerns, especially as targeted attacks escalate. To mitigate risks, defenders are encouraged to scan logs for suspicious activities and monitor updates from Fortinet. This situation emphasizes the critical need for rapid patching in infrastructure to prevent broader exploitation.
👉 Pročitaj original: Cyber Security News
