Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

Critical FortiWeb flaw under attack, allowing complete compromise

A Fortinet FortiWeb auth-bypass flaw is being actively exploited, allowing attackers to hijack admin accounts and fully compromise devices. Researchers warn of an authentication bypass flaw in Fortinet FortiWeb WAF that allows full device takeover. The cybersecurity vendor addressed the vulnerability with the release version 8.0.2. A security flaw lets anyone break into FortiWeb devices […]

fortinet FortiBleed

A Fortinet FortiWeb auth-bypass flaw is being actively exploited, allowing attackers to hijack admin accounts and fully compromise devices.

Researchers warn of an authentication bypass flaw in Fortinet FortiWeb WAF that allows full device takeover.

The cybersecurity vendor addressed the vulnerability with the release version 8.0.2.

A security flaw lets anyone break into FortiWeb devices and get full admin control. The issue was publicly disclosed after Defused shared a PoC on October 6, 2025, following real attack attempts captured by its honeypot.

watchTowr Labs confirmed the FortiWeb exploit and published the video PoC on X. The team also released a tool, the “FortiWeb Authentication Bypass Artifact Generator,” which tries to exploit the flaw by creating an admin account with a random 8-character username.

Defused and researcher Daniel Card report that attackers are exploiting the flaw by sending a crafted HTTP POST request to “/api/v2.0/cmdb/system/admin%3F/../../../../../cgi-bin/fwbcgi” to create a new admin account.

“So this is already public and already being sprayed over the internet, there’s always a concern here when we think about how much intel to share/publish etc. So I’m not going to write the full details but I will give enough to help with detection logic (someone else is free to do more, that’s their own choice!)” Card explained.

The TA appears to send a payload to the following URL Endpoint via an HTTP POST request

/api/v2.0/cmdb/system/admin%3F/../../../../../cgi-bin/fwbcgi

Inside this is a payload to create a user account.”

Card extracted the following credentials from the payloads:

UsernamePassword
TestpointAFodIUU3Sszp5
trader13eMIXX43
trader3eMIXX43
test1234pointAFT3$tH4ck
TestpointAFT3$tH4ck
TestpointAFT3$tH4ckmet0d4yaga!n

At this time, is unclear who is behind the exploitation attempts.

On November 6, 2025, Rapid7 Labs researchers noted the sale of an alleged zero-day exploit targeting FortiWeb on a popular black hat forum.

However, it is unclear if it is the same exploit as the one described by the researchers.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, FortiWeb)