A Fortinet FortiWeb path traversal-driven authentication bypass vulnerability is actively exploited in the wild, affecting versions prior to 8.0.2. Researchers have observed automated spraying at scale. Review this Cybersecurity Threat Advisory to learn how to best protect your environment and mitigate your risk.
What is the threat?
Attackers send specially crafted HTTP POST requests with specific parameters to reach a privileged FortiWeb binary, bypass authentication, and execute admin actions. This enables creation of new local admin accounts for persistent control—resulting in full administrative takeover without valid credentials.
Active exploitation is occurring globally against internet-facing FortiWeb instances. Versions 8.0.1 and earlier are vulnerable; version 8.0.2 contains the fix. Devices exposing management interfaces to the internet face the highest risk.
Why is it noteworthy?
FortiWeb is a web application firewall, and an admin takeover can quickly compromise security and availability. Public Proof-of-Concept code and active exploitation mean unpatched devices can be compromised rapidly and at scale. Silent patching and limited disclosure add uncertainty, making immediate action and proactive monitoring critical.
What is the exposure or risk?
Successful exploitation lets attackers create admin accounts and take full control of FortiWeb configuration. They can disable protections, alter policies, change SSL or routing settings, and tamper with logs to hide activity. Compromised appliances become pivot points to protected apps and backend systems. Persistence through rogue admin accounts enables long-term, stealthy manipulation and data exfiltration. Internet-exposed, unpatched devices face the highest risk. Delayed remediation increases the likelihood of outages, reputational damage, and regulatory penalties.
What are the recommendations?
Barracuda strongly recommends organizations to take the following actions to reduce risk and protect application security infrastructure:
- Upgrade all FortiWeb appliances to version 8.0.2.
- Review local admin lists, remove unauthorized users, and rotate credentials for legitimate admins.
- Monitor for requests targeting CGI paths and anomalous management API calls, and correlate with recent account creation and config changes.
- Remove public exposure and allow access only from trusted admin networks or VPN; enforce MFA for all admin logins.
- Place FortiWeb behind strict network segmentation and use allowlists for management access.
- Alert on unusual admin logins, rapid policy changes, and connections from suspicious sources.
- Compare current policies and SSL objects to known-good baselines. If you find tampering, restore from clean backups immediately.
- Check for unauthorized users, review logs, and test functionality to confirm protections are active after upgrading.
References
For more in-depth information about the recommendations, please visit the following links:
- https://thehackernews.com/2025/11/fortinet-fortiweb-flaw-actively.html
- https://www.bleepingcomputer.com/news/security/fortiweb-flaw-with-public-poc-actively-exploited-to-create-admin-users/
If you have any questions about this Cybersecurity Threat Advisory, don’t hesitate to get in touch with Barracuda Managed XDR’s Security Operations Center.
This post originally appeared on Smarter MSP.