Cybersecurity researchers are sounding the alarm regarding an active authentication bypass vulnerability affecting the Fortinet FortiWeb Web Application Firewall (WAF). This critical flaw allows an unauthorized attacker to seize control of administrator accounts and fully compromise the affected device. watchTowr CEO and founder, Benjamin Harris, confirmed observing active, indiscriminate exploitation of what appears to be a silently patched vulnerability in the FortiWeb product. The issue, which was addressed in version 8.0.2, enables attackers to execute actions as a privileged user, with observed exploitation tactics primarily focused on creating a new administrator account to establish a basic persistence mechanism.
The watchTowr team successfully reproduced the vulnerability and developed a working proof-of-concept (PoC). To assist with identification, the cybersecurity company has also released an artifact generator tool that can help organizations pinpoint susceptible devices. According to details shared by Defused and security researcher Daniel Card of PwnDefend, the threat actor behind the exploitation activity has been seen sending a specific payload via an HTTP POST request to the /api/v2.0/cmdb/system/admin%3F/../../../../../cgi-bin/fwbcgi endpoint to create a new admin account. Examples of admin usernames and passwords created by the payloads detected in the wild include: Testpoint / AFodIUU3Sszp5, trader1 / 3eMIXX43, and test1234point / AFT3$tH4ck.
In a follow-up analysis, watchTowr Labs researcher Sina Kheirkhah detailed that the vulnerability is, in fact, a combination of two distinct security flaws. The first is a path traversal bug present in the HTTP request that allows access to the fwbcgi executable via the path /api/v2.0/cmdb/system/admin%3F/../../../../../cg1-bin/fwbcgi. The second is an authentication bypass made possible by exploiting the contents of the HTTP request header, specifically CGIINFO. The fwbcgi binary contains logic that checks for a valid JSON body in the incoming HTTP request and also calls a function named cgi_auth(), which offers a mechanism to impersonate any user based on data provided by the client.
This impersonation process occurs in four steps: first, extracting the CGIINFO header from the HTTP request; second, decoding its Base64-encoded value; third, parsing the result as JSON; and finally, iterating over the JSON keys to extract four required attributes: username, profname (profile name), vdom (virtual domain), and loginname (login identifier). Crucially, these fields, passed through the HTTP request, instruct the fwbcgi binary on which user the request sender wishes to impersonate. For the built-in “admin” account, these required values are standardized across all devices and cannot be changed: username (“admin”), profname (“prof_admin”), vdom (“root”), and loginname (“admin”).
Consequently, an attacker can leverage the path traversal vulnerability by sending a specially crafted HTTP request containing a CGIINFO header with these fixed values. This allows them to successfully impersonate an administrator and inherit their privileges. Kheirkhah noted that this means an attacker can perform any privileged action simply by providing the appropriate JSON structure, adding that the flaw has been actively weaponized to create new local users with elevated privileges. Rapid7 is urging organizations running FortiWeb versions older than 8.0.2 to apply the patch immediately, noting that alleged zero-day exploits targeting FortiWeb were reportedly published for sale on a black hat forum as early as November 6, 2025. Harris concluded that given the indiscriminate exploitation already observed, unpatched appliances are likely already compromised.
Reference:
