FortiWeb Authentication Bypass Vulnerability Exploited – Script to Detect Vulnerable Appliances

Threat actors are actively exploiting a critical authentication bypass vulnerability in Fortinet’s FortiWeb web application firewall (WAF) worldwide, prompting defenders to heighten vigilance.

Researchers at watchTowr Labs have responded by releasing a Detection Artefact Generator script, designed to help organizations scan their environments for vulnerable FortiWeb appliances and mitigate risks swiftly.​

The vulnerability, tracked as CVE-2025-52970, stems from improper parameter handling in FortiWeb, enabling unauthenticated remote attackers to log in as any existing user via crafted requests.

With a CVSS score of 7.7, it requires some non-public knowledge of the device but poses severe risks, including privilege escalation and potential remote code execution on affected systems.

https://twitter.com/cyb3rops/status/1988892219105845509?ref_src=twsrc%5Etfw

Fortinet patched the flaw in versions 8.0.2 and later, but in-the-wild attacks have surged since a partial proof-of-concept surfaced publicly in August 2025, targeting exposed FortiWeb instances indiscriminately.

Security firms report dozens of compromises, underscoring the urgency for immediate patching amid ongoing exploitation campaigns.​

WatchTowr Labs’ open-source tool, hosted on GitHub at watchTowr-vs-Fortiweb-AuthBypass, simplifies detection by simulating the bypass mechanism. The Python script generates a unique username and password (e.g., “35f36895”) and sends an exploit payload to the target IP, such as python watchTowr-vs-Fortiweb-AuthBypass.py 192.168.1.99.

If successful, it confirms vulnerability by creating a temporary user, alerting administrators to remediate. Authored by Sina Kheirkhah (@SinSinology) and Jake Knott (@inkmoro), the script targets FortiWeb versions below 8.0.2, with specifics available via FortiGuard Labs PSIRT.​

Organizations should prioritize scanning internet-facing appliances, applying patches, and monitoring for anomalous logins. As supply chain attacks evolve, tools like this empower proactive defense in a threat landscape where WAFs ironically become entry points.​

Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.

The post FortiWeb Authentication Bypass Vulnerability Exploited – Script to Detect Vulnerable Appliances appeared first on Cyber Security News.