Summary (TL;DR)
A Fortinet FortiWeb vulnerability is being actively exploited in the wild to create administrative accounts and gain persistent access to Internet-exposed FortiWeb appliances. Public proof-of-concept / exploit activity and weaponized code have appeared, and multiple monitoring/honeypot teams report exploitation since early November 2025. Exploitation yields full administrative control of the appliance (persistence, config tampering, credential access, logging disruption). Treat exposed FortiWeb management interfaces as high priority (critical) until patched or isolated.
Affected products / versions
FortiWeb appliances. Public reporting indicates devices running pre-8.0.2 builds (and earlier 7.x releases affected by CVE-2025-25257) are at risk. Confirm against Fortinet PSIRT for exact fixed versions for your image.
Technical summary of the exploit
- Unauthenticated remote actor is sending crafted HTTP POST requests to FortiWeb management API/GUI endpoints which result in creation of local admin accounts. Observed request target (from honeypot telemetry) uses a path-traversal style payload against the FortiWeb API surface.
/api/v2.0/cmdb/system/admin%3F/../../../../../cgi-bin/fwbcgi
with a POST body that contains account creation fields.
- Public PoC code and demonstration videos were posted (reports by BleepingComputer and others). Once an admin account exists an attacker can export configs, modify WAF rules, disable/change logging, add SSH keys or API tokens, and pivot using management-plane credentials.
- Exploitation pathway reported in the wild appears to leverage crafted HTTP requests against FortiWeb management endpoints. Public reporting links this activity to path-traversal/parameter-handling bugs and/or SQLi weaknesses in FortiWeb GUI endpoints (historical CVE-2025-25257 and related PSIRT entries). The exact exploit chain under active investigation; treat both SQLi and parameter/validation flaws as relevant attack surfaces.
Indicators of Compromise (IOCs) : observable artifacts
- Usernames (extracted from payloads / telemetry):
Testpoint, trader1, trader, test1234point and variants (some payloads contain multiple password variants
- Observed source IPs
107.152.41.19, 144.31.1.63, 89.169.55.168, 185.192.70.33, 185.192.70.53, 185.192.70.43, 185.192.70.25, 185.192.70.36, 185.192.70.49, 185.192.70.39, 185.192.70.57, 185.192.70.50, 185.192.70.46, 185.192.70.31, 64.95.13.8
- Request/URI patterns to search for (observed / reconstructed):
- URIs containing /api/v2.0/cmdb/system/admin plus encoded .. sequences (%2E%2E, ..) followed by /cgi-bin/fwbcgi
- POST bodies that include JSON/form parameters for username, password, profile/role and a sequence immediately followed by a login or successful session
Behavioral IOCs:
- New/unknown administrative accounts appearing in FortiWeb admin lists (especially outside maintenance windows).
- Immediate successful logins using created accounts after suspicious POSTs.
- Unusual config exports, sudden disabling or clearing of logging, or changes to WAF rule sets shortly after suspicious management requests.
Technical remediation playbook
- Containment (fast, reversible)
Block public access to FortiWeb management ports (80/443 or configured admin ports) at the network edge restrict to admin IPs or require VPN. If you use cloud firewall rules or perimeter ACLs, apply deny by default and allow only trusted operator Ips.
- Short term mitigation
If immediate blocking is impossible, implement an ingress WAF / reverse proxy configured to drop requests containing (.., %2e%2e), or suspicious JSON containing username+password to those endpoints (as temporary mitigation). Do not try to patch by modifying appliance binaries.
- Patch / update
Verify vendor advisory and apply Fortinet’s recommended fixed firmware (reports reference FortiWeb 8.0.2 as containing fixes for the observed behavior; validate with Fortinet PSIRT before mass rollout). Test in a staging environment and then apply to production.
- Hunt / validate compromise
Pull management HTTP logs, system event logs, and admin user lists from each FortiWeb. Correlate suspicious POSTs to admin creation timestamps and source IPs. Look for immediate logins or session creation from the new account. Preserve logs and timestamps (write-protect copies) before remediation.
- Remediation if compromise confirmed
Disable unknown admin accounts (do not delete until evidence captured), rotate all credentials accessible via the appliance (API keys, integration credentials), revoke/reissue certs if private keys may have been exported. Rebuild or reload firmware from vendor-supplied images if evidence of compromise exists.
- Forensics / evidence collection
Export full appliance configuration, relevant logs, and (if supported) memory/system state. Collect network captures for the timeframe of suspicious activity. Engage DFIR team for deeper analysis. Preserve chain of custody for any evidence.
- Post-incident
Monitor for re-occurrence for at least 30 days. Implement monitoring for admin creation events and management-plane POSTs that match the patterns above. Report incidents to Fortinet PSIRT and any regulatory bodies as required.
If you are worried about any of the threats outlined in this bulletin or need help in determining what steps you should take to protect yourself from the most material threats facing your organisation, please contact your account manager, or alternatively Get in touch to find out how you can protect your organisation.