Critical Fortinet FortiWeb Vulnerability Exploited in the Wild to Create Admin Accounts

A critical vulnerability in Fortinet’s FortiWeb Web Application Firewall (WAF) is being actively exploited by threat actors, potentially as a zero-day attack vector.

The flaw, which enables unauthenticated attackers to gain administrator-level access to the FortiWeb Manager panel and WebSocket command-line interface, was first highlighted through a proof-of-concept (PoC) exploit shared by cyber deception firm Defused on October 6, 2025. This discovery came after Defused’s honeypot captured real-world attempts targeting exposed FortiWeb instances.​

https://twitter.com/DefusedCyber/status/1975242250373517373?ref_src=twsrc%5Etfw

FortiWeb serves as a vital defense mechanism, designed to detect and block malicious traffic aimed at web applications, making it a prime target for attackers seeking to undermine organizational security postures.

The vulnerability appears to stem from a path traversal issue that allows remote exploitation without prior access, potentially leading to full device compromise and subsequent lateral movement within networks.

Security firm Rapid7 confirmed the exploit’s efficacy through testing, noting it successfully creates unauthorized admin accounts like “hax0r” on vulnerable versions.​

The testing revealed significant differences in responses between the affected and patched versions.

On FortiWeb 8.0.1, released in August 2025, a successful exploit returns an HTTP 200 OK response with JSON details of the new admin user, including encrypted passwords and access profiles.

In contrast, version 8.0.2, released at the end of October, rejects the attempt with an HTTP 403 Forbidden error, indicating potential mitigation.

Rapid7 emphasized that while the public PoC fails against 8.0.2, it’s unclear if this update includes a deliberate silent fix or coincidental changes.​

Exploitation in the wild has been reported since October 2025, with Defused claiming targeted attacks on exposed devices. Global scanning and spraying of the exploit have escalated, involving IP addresses from regions like the US, Europe, and Asia.

Adding to the urgency, on November 6, 2025, Rapid7 spotted an alleged zero-day exploit for FortiWeb offered for sale on a prominent black hat forum, though its relation to this flaw remains unconfirmed.​

As of November 13, 2025, Fortinet has not issued official guidance, assigned a CVE identifier, or published a matching advisory on its PSIRT feed.

Organizations using FortiWeb versions before 8.0.2 face immediate risk and should prioritize emergency updates or isolate management interfaces from public exposure. Defenders are also urged to scan logs for suspicious admin account creations and monitor Fortinet’s channels for impending disclosures.​

The absence of vendor acknowledgment heightens concerns, especially given Fortinet’s history of targeted attacks.

Researchers at watchTowr Labs have even released tools to detect vulnerable instances by generating random admin users.

This incident underscores the need for rapid patching in critical infrastructure, as broad exploitation could soon follow initial targeted hits. Updates to this story will incorporate any official responses from Fortinet.​

Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.

The post Critical Fortinet FortiWeb Vulnerability Exploited in the Wild to Create Admin Accounts appeared first on Cyber Security News.