The vulnerability, tracked as CVE-2025-52970 with a CVSS score of 7.7, affects multiple FortiWeb versions and stems from improper parameter handling in the cookie parsing mechanism.
Key Takeaways
1. CVE-2025-52970 lets attackers bypass authentication to log in as any user on FortiWeb systems.
2. FortiWeb 7.0-7.6 versions are vulnerable.
3. Attackers manipulate cookie parameters to force zero-filled encryption keys.
The vulnerability exploits an out-of-bounds read condition in FortiWeb’s cookie handling code, specifically affecting the CWE-233 improper handling of parameters.
During cookie parsing, the system uses an “Era” parameter to select encryption keys from a shared memory array without proper validation.
The FortiWeb session cookie contains three components: the Era (session type identifier), Payload (encrypted session data including username and role), and AuthHash (HMAC SHA1 signature).
By manipulating the Era parameter to values between 2 and 9, attackers can force the system to read uninitialized memory locations, potentially resulting in the use of null or zero-filled encryption keys.
This manipulation effectively reduces the cryptographic security to zero, as the probability of the key being all zeros changes from 1/2^n (normal circumstances) to 1 (guaranteed under exploitation).
The researcher Aviv Y demonstrated this with a proof-of-concept targeting the /api/v2.0/system/status.systemstatus endpoint, showing successful admin impersonation through crafted cookie requests.
| Risk Factors | Details |
| Affected Products | – FortiWeb 7.0.0 – 7.0.10- FortiWeb 7.2.0 – 7.2.10- FortiWeb 7.4.0 – 7.4.7- FortiWeb 7.6.0 – 7.6.3- FortiWeb 8.0: Not Affected |
| Impact | Authentication bypass |
| Exploit Prerequisites | – Non-public device information- Non-public targeted user information- Active user session during exploit- Brute-force validation number (~30 attempts) |
| CVSS 3.1 Score | 7.7 (High Severity) |
The vulnerability affects FortiWeb versions 7.0.0 through 7.0.10, 7.2.0 through 7.2.10, 7.4.0 through 7.4.7, and 7.6.0 through 7.6.3, while FortiWeb 8.0 remains unaffected.
Organizations must upgrade to patched versions: 7.0.11+, 7.2.11+, 7.4.8+, or 7.6.4+, respectively.
The exploit requires specific conditions, including knowledge of non-public device information and an active target user session during exploitation.
Attack complexity involves brute-forcing an unknown validation number through the refresh_total_logins() function, typically requiring fewer than 30 attempts with O(N) computational cost.
Security researcher Aviv Y, who discovered this vulnerability under responsible disclosure, developed a complete exploit chain utilizing the /ws/cli/open endpoint for CLI access.
Fortinet has already released a patch for the vulnerability; users are recommended to update their systems with the patches released yesterday.
Boost your SOC and help your team protect your business with free top-notch threat intelligence: Request TI Lookup Premium Trial.
The post FortiWeb Authentication Bypass Vulnerability Let Attackers Log in As Any Existing User appeared first on Cyber Security News.
Do you have a Reddit alt, secret X, finsta, or Glassdoor account you trash your…
The post NEP Unveils Modernized EU-03 OB Unit appeared first on TV News Check.
Audinate, the creator of the Dante audio networking platform, today introduced Dante Director Professional, a…
Net Insight’s Nimbra Edge and the Nimbra 400 series are now included in YouTube’s Live verified…
Project Hail Mary co-director Christopher Miller has moved to clarify recent comments in which he…
Highguard, the free-to-play PvP raid shooter announced at The Game Awards last year and set…
This website uses cookies.