MUST READ

Millions of sites at risk from Imunify360 critical flaw exploit

 | 

Critical FortiWeb flaw under attack, allowing complete compromise

 | 

Germany’s BSI issues guidelines to counter evasion attacks targeting LLMs

 | 

Washington Post notifies 10,000 individuals affected in Oracle-linked data theft

 | 

Chrome extension “Safery” steals Ethereum wallet seed phrases

 | 

A new round of Europol’s Operation Endgame dismantled Rhadamanthys, Venom RAT, and Elysium botnet

 | 

U.S. CISA adds WatchGuard Firebox, Microsoft Windows, and Gladinet Triofox flaws to its Known Exploited Vulnerabilities catalog

 | 

Amazon alerts: advanced threat actor exploits Cisco ISE & Citrix NetScaler zero-days

 | 

Google sues cybercriminal group Smishing Triad

 | 

New Danabot Windows version appears in the threat landscape after May disruption

 | 

Australia’s spy chief warns of China-linked threats to critical infrastructure

 | 

Synology patches critical BeeStation RCE flaw shown at Pwn2Own Ireland 2025

 | 

$7.3B crypto laundering: ‘Bitcoin Queen’ sentenced to 11 Years in UK

 | 

Microsoft Patch Tuesday security updates for November 2025 fixed an actively exploited Windows Kernel bug

 | 

SAP fixed a maximum severity flaw in SQL Anywhere Monitor

 | 

Fantasy Hub: Russian-sold Android RAT boasts full device espionage as MaaS

 | 

North Korea-linked Konni APT used Google Find Hub to erase data and spy on defectors

 | 

U.S. CISA adds Samsung mobile devices flaw to its Known Exploited Vulnerabilities catalog

 | 

Critical Triofox bug exploited to run malicious payloads via AV configuration

 | 

GlassWorm malware has resurfaced on the Open VSX registry

 | 

Critical FortiWeb flaw under attack, allowing complete compromise

Pierluigi Paganini November 14, 2025

A Fortinet FortiWeb auth-bypass flaw is being actively exploited, allowing attackers to hijack admin accounts and fully compromise devices.

Researchers warn of an authentication bypass flaw in Fortinet FortiWeb WAF that allows full device takeover.

The cybersecurity vendor addressed the vulnerability with the release version 8.0.2.

A security flaw lets anyone break into FortiWeb devices and get full admin control. The issue was publicly disclosed after Defused shared a PoC on October 6, 2025, following real attack attempts captured by its honeypot.

watchTowr Labs confirmed the FortiWeb exploit and published the video PoC on X. The team also released a tool, the “FortiWeb Authentication Bypass Artifact Generator,” which tries to exploit the flaw by creating an admin account with a random 8-character username.

Defused and researcher Daniel Card report that attackers are exploiting the flaw by sending a crafted HTTP POST request to “/api/v2.0/cmdb/system/admin%3F/../../../../../cgi-bin/fwbcgi” to create a new admin account.

“So this is already public and already being sprayed over the internet, there’s always a concern here when we think about how much intel to share/publish etc. So I’m not going to write the full details but I will give enough to help with detection logic (someone else is free to do more, that’s their own choice!)” Card explained.

The TA appears to send a payload to the following URL Endpoint via an HTTP POST request

/api/v2.0/cmdb/system/admin%3F/../../../../../cgi-bin/fwbcgi

Inside this is a payload to create a user account.”

Card extracted the following credentials from the payloads:

UsernamePassword
TestpointAFodIUU3Sszp5
trader13eMIXX43
trader3eMIXX43
test1234pointAFT3$tH4ck
TestpointAFT3$tH4ck
TestpointAFT3$tH4ckmet0d4yaga!n

At this time, is unclear who is behind the exploitation attempts.

On November 6, 2025, Rapid7 Labs researchers noted the sale of an alleged zero-day exploit targeting FortiWeb on a popular black hat forum.

However, it is unclear if it is the same exploit as the one described by the researchers.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, FortiWeb)

Fortinet FortiWeb WAF Hacking hacking news information security news IT Information Security Pierluigi Paganini Security Affairs Security News zero-Day

you might also like

Pierluigi Paganini November 14, 2025
Millions of sites at risk from Imunify360 critical flaw exploit
Read more
Pierluigi Paganini November 14, 2025
Germany’s BSI issues guidelines to counter evasion attacks targeting LLMs
Read more

leave a comment

newsletter

Subscribe to my email list and stay
up-to-date!

recent articles

Millions of sites at risk from Imunify360 critical flaw exploit

Security / November 14, 2025

Critical FortiWeb flaw under attack, allowing complete compromise

Hacking / November 14, 2025

Germany’s BSI issues guidelines to counter evasion attacks targeting LLMs

Security / November 14, 2025

Washington Post notifies 10,000 individuals affected in Oracle-linked data theft

Data Breach / November 14, 2025

Chrome extension “Safery” steals Ethereum wallet seed phrases

Malware / November 13, 2025