Cybersecurity researchers are alerting organizations to a critical authentication bypass vulnerability discovered in Fortinet’s FortiWeb Web Application Firewall (WAF) that could grant attackers administrative control over compromised devices. The watchTowr cybersecurity firm has observed active exploitation of this flaw “in the wild,” indicating a significant and immediate threat to businesses relying on vulnerable FortiWeb appliances.
The vulnerability, which was reportedly patched in version 8.0.2 of FortiWeb, allows attackers to bypass authentication mechanisms and execute actions with privileged user rights. According to watchTowr CEO Benjamin Harris, the primary exploitation tactic observed involves the creation of new administrator accounts, establishing a persistent foothold for threat actors to maintain access and conduct further malicious activities.
Fortinet FortiWeb Vulnerability Allows Admin Account Takeover
The technical specifics of the exploit, shared by Defused and security researcher Daniel Card of PwnDefend, involve sending a crafted HTTP POST request to a specific endpoint on the FortiWeb device. This request, directed to “/api/v2.0/cmdb/system/admin%3F/../../../../../cgi-bin/fwbcgi,” initiates the creation of a new administrator account. The success of this exploit means potentially any unpatched FortiWeb device could be compromised.
Evidence of in-the-wild exploitation has surfaced, with researchers identifying several administrator usernames and passwords created by the malicious payloads. These include credentials like “Testpoint / AFodIUU3Sszp5,” “trader1 / 3eMIXX43,” and variants such as “Testpoint / AFT3$tH4ckmet0d4yaga!n.” The indiscriminate nature of the observed attacks suggests that the threat actor may not be targeting specific organizations but rather casting a wide net to identify susceptible FortiWeb installations.
The identity and full scope of the threat actor behind these attacks remain unknown. Exploitation activity related to this Fortinet FortiWeb vulnerability was initially detected in early October 2025. As of this report, Fortinet has not yet assigned a CVE identifier to the vulnerability and has not published a formal advisory on its Product Security incident Response Team (PSIRT) feed, which is standard practice for publicly disclosed security flaws.
However, Rapid7 has urged organizations using FortiWeb versions prior to 8.0.2 to address the vulnerability as an emergency priority. The firm reported observing an alleged zero-day exploit targeting FortiWeb being offered for sale on a “black hat forum” on November 6, 2025. It is currently unclear if this reported exploit is identical to the one actively being exploited in the wild.
The current situation presents a familiar challenge for IT security teams. In the absence of a formal advisory from Fortinet, organizations are advised to investigate their systems for signs of prior compromise and to apply the available patches as soon as possible. Given the ongoing and indiscriminate nature of the exploitation, any FortiWeb appliances that have not yet been patched are at a high risk of already being compromised. The next crucial step will be Fortinet’s official response, including the release of a CVE and detailed guidance for mitigation.