Fortinet FortiWeb Zero-Day Exploited to Hijack Admin Accounts

Threat actors are actively exploiting a critical zero-day vulnerability in Fortinet FortiWeb, allowing them to gain complete administrator access to the Web Application Firewall without authentication.

This severe security flaw affects organizations worldwide that rely on FortiWeb to protect their web applications from malicious traffic.

Active Exploitation and Discovery

On October 6, 2025, cyber deception firm Defused disclosed a proof-of-concept exploit that was captured through their Fortinet FortiWeb Manager honeypot infrastructure.

The vulnerability allows attackers to achieve full administrator-level access to both the FortiWeb Manager panel and the websocket command-line interface without possessing any existing credentials or permissions.

Evidence suggests that exploitation activities have been ongoing in the wild since October 2025 through coordinated targeted attacks against vulnerable systems.

Security researchers at Rapid7 independently verified the exploit’s effectiveness against FortiWeb version 8.0.1, which was released in August 2025.

During testing, researchers successfully created a malicious administrator account with full access, demonstrating the vulnerability’s severity.

However, exploitation attempts against the latest version, 8.0.2, resulted in “403 Forbidden” responses, suggesting potential mitigations in the newer release.

On November 6, 2025, Rapid7 Labs identified an alleged zero-day exploit targeting FortiWeb being advertised for sale on a prominent black-hat forum.

While the connection to the publicly disclosed vulnerability remains unconfirmed, this development indicates heightened interest from cybercriminal communities in exploiting FortiWeb deployments.

Organizations running FortiWeb versions before 8.0.2 face significant risks. Successful exploitation grants attackers complete control over the security appliance, allowing them to create unauthorized local administrator accounts, manipulate security policies, and potentially pivot to protected web applications.

The vulnerability’s network-based attack vector, combined with low complexity and zero authentication requirements, makes it particularly dangerous for internet-exposed FortiWeb management interfaces.

As of November 13, 2025, Fortinet has not issued official guidance or assigned a CVE identifier for this vulnerability, raising concerns about the full scope of the security issue.

Organizations should immediately update to FortiWeb version 8.0.2 or remove management interfaces from public internet exposure.

Security teams must continuously monitor Fortinet’s PSIRT feed for official vendor guidance and implement defense-in-depth measures to protect FortiWeb deployments from compromise.

Given the active exploitation and availability of public exploits, emergency remediation should be prioritized.

Find this Story Interesting! Follow us on Google News, LinkedIn and X to Get More Instant Updates

The post Fortinet FortiWeb Zero-Day Exploited to Hijack Admin Accounts appeared first on Cyber Security News.