Critical Fortinet FortiWeb Vulnerability Exploited to Create Unauthorized Admin Accounts
A critical security flaw has been identified in Fortinet’s FortiWeb Web Application Firewall (WAF), which is currently being actively exploited by cyber attackers. This vulnerability allows unauthenticated individuals to gain administrator-level access to the FortiWeb Manager panel and the WebSocket command-line interface, posing a significant threat to organizations relying on FortiWeb for web application security.
Discovery and Initial Exploitation
The vulnerability came to light when cyber deception firm Defused shared a proof-of-concept (PoC) exploit on October 6, 2025. This revelation followed the capture of real-world attack attempts targeting exposed FortiWeb instances through Defused’s honeypot systems. The exploit appears to be a variant of CVE-2022-40684, a previously known Fortinet vulnerability.
Defused reported an unknown Fortinet exploit from IP address 64.95.13.8, noting that the JWT payload translates into:
“`json
{
username: admin,
profname: prof_admin,
vdom: root,
loginname: admin
}
“`
This indicates that attackers can create unauthorized administrative accounts, granting them full control over the affected FortiWeb devices.
Technical Details and Exploitation
FortiWeb serves as a critical defense mechanism, designed to detect and block malicious traffic aimed at web applications. However, this vulnerability stems from a path traversal issue that allows remote exploitation without prior access. Attackers can exploit this flaw to gain full device control, potentially leading to lateral movement within the network and further compromise of organizational security.
Security firm Rapid7 confirmed the exploit’s efficacy through testing, noting that it successfully creates unauthorized admin accounts like hax0r on vulnerable versions. Their testing revealed significant differences in responses between affected and patched versions.
On FortiWeb version 8.0.1, released in August 2025, a successful exploit returns an HTTP 200 OK response with JSON details of the new admin user, including encrypted passwords and access profiles. In contrast, version 8.0.2, released at the end of October, rejects the attempt with an HTTP 403 Forbidden error, indicating potential mitigation.
Rapid7 emphasized that while the public PoC fails against version 8.0.2, it’s unclear if this update includes a deliberate silent fix or coincidental changes.
Active Exploitation and Global Impact
Exploitation in the wild has been reported since October 2025, with Defused claiming targeted attacks on exposed devices. Global scanning and spraying of the exploit have escalated, involving IP addresses from regions like the United States, Europe, and Asia.
Adding to the urgency, on November 6, 2025, Rapid7 spotted an alleged zero-day exploit for FortiWeb offered for sale on a prominent black hat forum, though its relation to this flaw remains unconfirmed.
Fortinet’s Response and Recommendations
As of November 13, 2025, Fortinet has not issued official guidance, assigned a CVE identifier, or published a matching advisory on its PSIRT feed. This lack of official acknowledgment heightens concerns, especially given Fortinet’s history of targeted attacks.
Organizations using FortiWeb versions before 8.0.2 face immediate risk and should prioritize emergency updates or isolate management interfaces from public exposure. Defenders are also urged to scan logs for suspicious admin account creations and monitor Fortinet’s channels for impending disclosures.
Researchers at watchTowr Labs have even released tools to detect vulnerable instances by generating random admin users.
Conclusion
This incident underscores the critical need for rapid patching in critical infrastructure, as broad exploitation could soon follow initial targeted hits. Organizations must remain vigilant, apply necessary updates, and monitor for any signs of compromise to protect their systems from this actively exploited vulnerability.
