Critical FortiWeb Flaw Under Active Exploitation Enables Unauthorized Admin Control

A serious security hole in Fortinet’s FortiWeb web application firewall (WAF) is being actively exploited by attackers, enabling them to gain complete admin control without prior access.

This vulnerability, first highlighted in a publicly shared proof-of-concept (PoC) exploit on October 6, 2025, by cybersecurity firm Defused, targets the FortiWeb Manager panel and its websocket command-line interface.

FortiWeb protects web applications from threats such as SQL injection and cross-site scripting.

However, this flaw turns the tool against its users, letting hackers create rogue admin accounts and run commands freely.

The issue surfaced when Defused captured the PoC in one of their honeypots—decoy systems designed to lure attackers.

According to Defused’s social media post, real-world exploitation began in October 2025, likely in targeted attacks. Rapid7, a security research firm, confirmed that the PoC works on older versions, such as 8.0.1 (released in August 2025), but fails on the latest 8.0.2.

No CVE number has been assigned yet, and Fortinet hasn’t issued official guidance as of November 13, 2025.

This leaves organizations in a bind, especially since the flaw enables remote code execution (RCE)-like control, potentially exposing sensitive web environments to data theft or further breaches.

Overview Of The Vulnerability

At its core, the flaw exploits a weakness in how FortiWeb handles admin authentication and user creation requests.

Attackers send crafted HTTP POST requests to the management interface, bypassing checks to add a new local admin user with full privileges.

For instance, in a successful exploit on version 8.0.1, the server responds with a 200 OK status and JSON data confirming the new account, such as “hax0r” with profile “prof_admin” and trust hosts set to “0.0.0.0/0” (allowing access from anywhere).

The response includes encrypted password fields and settings such as “type: local-user” and “accprofile-override: disable,” indicating that the attacker now controls the system.

On version 8.0.2, attempts trigger a 403 Forbidden error with a simple HTML page: “<h1>Forbidden</h1><p>You don’t have permission to access this resource.</p>.”

This suggests the update either patched the bug silently or altered request handling to block the PoC.

Rapid7 noted a separate zero-day exploit for sale on a black hat forum around November 6, 2025, which might be related, raising fears of broader attacks.

Without vendor details, it’s unclear whether 8.0.2 fixes it entirely or if variants could emerge.

Mitigation and Recommendations

Fortinet urges immediate action: upgrade to version 8.0.2 or pull the management interface off the public internet to limit exposure.

Monitor the official FortiGuard PSIRT feed for updates, as patches might evolve. Rapid7 plans to add authenticated checks to its InsightVM and Nexpose tools soon.

Organizations using FortiWeb should scan logs for suspicious 200 OK responses with new user creations and enable strict access controls.

This incident highlights the risks of exposed WAF managers always segment them behind firewalls.

As exploitation ramps up, swift patching is key to avoiding admin takeovers that could cascade into full network compromises.