A critical **path traversal vulnerability (CVE pending)** in Fortinet’s **FortiWeb web application firewall (WAF)** is being actively exploited globally, allowing unauthenticated attackers to **create administrative accounts** on unpatched devices. The flaw, present in versions **8.0.1 and earlier**, enables threat actors to bypass authentication via a crafted HTTP POST request to the endpoint `/api/v2.0/cmdb/system/admin%3f/../../../../../cgi-bin/fwbcgi`. Attackers are automating mass scans and deploying preconfigured credentials (e.g., usernames like *Testpoint*, *trader1*; passwords like *3eMIXX43*, *AFT3$tH4ck*) to gain persistent admin access.Security researchers (**Defused, PwnDefend, watchTowr Labs**) confirm **widespread exploitation**, with IPs (e.g., *107.152.41.19*, *144.31.1.63*) linked to unauthorized account creation. While Fortinet released a patch (**8.0.2**) in late October, the lack of a public advisory or CVE assignment delays mitigation awareness. Organizations are urged to **immediately update**, audit admin accounts, block public access to management interfaces, and inspect logs for `fwbcgi` requests. The vulnerability serves as a **foothold for deeper network infiltration**, risking lateral movement into corporate environments if left unaddressed.
Fortinet cybersecurity rating report: https://www.rankiteo.com/company/fortinet
"id": "FOR1532815111725",
"linkid": "fortinet",
"type": "Vulnerability",
"date": "10/2025",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': 'Unknown (all organizations '
'using unpatched FortiWeb 8.0.1 '
'or earlier)',
'industry': 'Cybersecurity',
'location': 'Global',
'name': 'Fortinet',
'size': 'Large Enterprise',
'type': 'Vendor'}],
'attack_vector': ['Network', 'Exploit Public-Facing Application'],
'customer_advisories': ['Fortinet customers advised to update to 8.0.2 and '
'check for unauthorized accounts'],
'date_detected': '2024-10-01T00:00:00Z',
'date_publicly_disclosed': '2024-10-01T00:00:00Z',
'description': 'A recently uncovered path traversal vulnerability in '
'Fortinet’s FortiWeb web application firewall (CVE not yet '
'assigned) is being exploited globally. Attackers are creating '
'new administrative accounts on unpatched devices without '
'authentication. The flaw, fixed in FortiWeb 8.0.2, was first '
'observed in early October 2024. Exploitation involves sending '
'crafted HTTP POST requests to the endpoint '
'`/api/v2.0/cmdb/system/admin%3f/../../../../../cgi-bin/fwbcgi`, '
'bypassing authentication to generate admin-level accounts. '
"Observed malicious usernames include 'Testpoint', 'trader1', "
"and 'trader', with passwords like '3eMIXX43' and "
"'AFT3$tH4ckmet0d4yaga!n'. Attacks are automated, originating "
'from IPs such as 107.152.41.19, 144.31.1.63, and blocks '
'within 185.192.70.0/24. Security firms (PwnDefend, Defused, '
'watchTowr Labs, Rapid7) confirmed the exploit and urged '
'immediate patching (to 8.0.2) and system reviews for '
'unauthorized accounts.',
'impact': {'brand_reputation_impact': ['Potential reputational damage for '
'Fortinet and affected organizations'],
'operational_impact': ['Potential unauthorized administrative '
'access',
'Risk of lateral movement into corporate '
'networks'],
'systems_affected': ['FortiWeb appliances (unpatched versions)']},
'initial_access_broker': {'backdoors_established': ['Unauthorized admin '
'accounts (e.g., '
"'Testpoint', 'trader1')"],
'entry_point': 'Path traversal vulnerability in '
'`/api/v2.0/cmdb/system/admin%3f/../../../../../cgi-bin/fwbcgi`',
'high_value_targets': ['FortiWeb management '
'interfaces',
'Corporate networks '
'(potential lateral '
'movement)'],
'reconnaissance_period': 'Observed since early '
'October 2024'},
'investigation_status': 'Ongoing (active exploitation confirmed; patch '
'available)',
'lessons_learned': ['Critical importance of timely patching for publicly '
'exposed devices',
'Need for continuous monitoring of administrative account '
'changes',
'Risks of automated mass exploitation for unpatched '
'vulnerabilities',
'Value of third-party research in identifying and '
'mitigating zero-day threats'],
'motivation': ['Unauthorized Access',
'Lateral Movement',
'Potential Foothold for Further Attacks'],
'post_incident_analysis': {'corrective_actions': ['Patch management process '
'review',
'Enhanced monitoring of '
'administrative account '
'changes',
'Restriction of management '
'interface access',
'Proactive vulnerability '
'scanning for exposed '
'devices'],
'root_causes': ['Unpatched path traversal '
'vulnerability in FortiWeb',
'Public exposure of management '
'interfaces',
'Lack of timely vendor advisory '
'(no CVE assigned as of '
'disclosure)']},
'recommendations': ['Immediately patch FortiWeb to version 8.0.2 or later',
'Audit all administrative accounts for unauthorized '
'entries',
'Restrict management interface access to trusted '
'networks/VPNs',
'Monitor logs for suspicious activity (e.g., requests to '
'`fwbcgi`)',
'Assume compromise if running vulnerable versions and '
'investigate thoroughly',
'Use artifact-generation tools (e.g., from watchTowr '
'Labs) to detect vulnerable systems'],
'references': [{'date_accessed': '2024-10-01T00:00:00Z',
'source': 'PwnDefend & Defused Research Team Analysis'},
{'date_accessed': '2024-10-01T00:00:00Z',
'source': 'watchTowr Labs Exploit Confirmation'},
{'date_accessed': '2024-10-01T00:00:00Z',
'source': 'Rapid7 Vulnerability Testing Report'}],
'response': {'communication_strategy': ['Security advisories from researchers '
'(PwnDefend, watchTowr Labs)',
'Media reports urging immediate '
'action'],
'containment_measures': ['Update to FortiWeb 8.0.2',
'Review administrative user lists for '
'unexpected accounts',
'Inspect logs for requests to `fwbcgi` '
'path',
'Block public internet access to '
'management interfaces',
'Restrict access to trusted networks or '
'VPN-only channels'],
'enhanced_monitoring': ['Log inspection for `fwbcgi` endpoint '
'activity'],
'incident_response_plan_activated': True,
'network_segmentation': ['Restrict management interface access'],
'remediation_measures': ['Apply firmware patch (8.0.2)',
'Remove unauthorized admin accounts'],
'third_party_assistance': ['PwnDefend',
'Defused Research Team',
'watchTowr Labs',
'Rapid7']},
'stakeholder_advisories': ['Urgent patching and system review recommended for '
'all FortiWeb users'],
'threat_actor': ['Unknown (Automated Mass Scanning)', 'Multiple Attackers'],
'title': 'Global Exploitation of Path Traversal Vulnerability in Fortinet '
'FortiWeb Web Application Firewall',
'type': ['Unauthorized Access',
'Path Traversal Vulnerability',
'Privilege Escalation',
'Account Takeover'],
'vulnerability_exploited': {'affected_versions': ['FortiWeb 8.0.1 and '
'earlier'],
'description': 'Path traversal flaw in '
'`/api/v2.0/cmdb/system/admin%3f/../../../../../cgi-bin/fwbcgi` '
'allowing unauthenticated admin '
'account creation via crafted HTTP '
'POST requests.',
'name': 'FortiWeb Path Traversal Vulnerability '
'(Unassigned CVE)',
'patched_version': '8.0.2',
'severity': 'Critical'}}