Cybersecurity researchers are sounding the alert about an authentication bypass vulnerability in Fortinet Fortiweb WAF that could allow an attacker to take over admin accounts and completely compromise a device.
“The watchTowr team is seeing active, indiscriminate in-the-wild exploitation of what appears to be a silently patched vulnerability in Fortinet’s FortiWeb product,” Benjamin Harris, watchTowr CEO and founder, said in a statement.
“Patched in version 8.0.2, the vulnerability allows attackers to perform actions as a privileged user – with in-the-wild exploitation focusing on adding a new administrator account as a basic persistence mechanism for the attackers.”
The cybersecurity company said it was able to successfully reproduce the vulnerability and create a working proof-of-concept (Poc). It has also released an artifact generator tool for the authentication bypass to help identify susceptible devices.
According to details shared by Defused and security researcher Daniel Card of PwnDefend, the threat actor behind the exploitation has been found to send a payload to the “/api/v2.0/cmdb/system/admin%3F/../../../../../cgi-bin/fwbcgi” by means of an HTTP POST request to create an admin account.
Some of the admin usernames and passwords created by the payloads detected in the wild are below –
- Testpoint / AFodIUU3Sszp5
- trader1 / 3eMIXX43
- trader / 3eMIXX43
- test1234point / AFT3$tH4ck
- Testpoint / AFT3$tH4ck
- Testpoint / AFT3$tH4ckmet0d4yaga!n
The origins and identity of the threat actor behind the attacks remain unknown. The exploitation activity was first detected early last month. As of writing, Fortinet has not assigned a CVE identifier or published an advisory on its PSIRT feed.
The Hacker News has reached out to Fortinet for comment, and we will update the story if we hear back.
Rapid7, which is urging organizations running versions of Fortinet FortiWeb that predate 8.0.2 to address the vulnerability on an emergency basis, said it observed an alleged zero-day exploit targeting FortiWeb was published for sale on a popular black hat forum on November 6, 2025. It’s currently not clear if it’s the same exploit.
“While we wait for a comment from Fortinet, users and enterprises are now facing a familiar process now: look for trivial signs of prior compromise, reach out to Fortinet for more information, and apply patches if you haven’t already,” Harris said. “That said, given the indiscriminate exploitation observed […], appliances that remain unpatched are likely already compromised.”
