Critical FortiWeb Vulnerability Exploited: Detection Tool Released
A critical authentication bypass vulnerability in Fortinet’s FortiWeb web application firewall (WAF) is being actively exploited by threat actors worldwide. This flaw, identified as CVE-2025-52970, allows unauthenticated remote attackers to impersonate any existing user on affected systems. The vulnerability arises from improper parameter handling in FortiWeb’s cookie parsing mechanism, enabling attackers to manipulate cookie parameters and force zero-filled encryption keys. This manipulation can lead to privilege escalation and potential remote code execution.
Fortinet has addressed this issue in FortiWeb version 8.0.2 and later. However, since a partial proof-of-concept (PoC) exploit was publicly released in August 2025, there has been a significant increase in attacks targeting exposed FortiWeb instances. Security firms have reported numerous compromises, highlighting the urgency for organizations to apply the necessary patches promptly.
In response to the escalating threat, researchers at watchTowr Labs have developed and released an open-source Detection Artefact Generator script. This Python-based tool assists organizations in identifying vulnerable FortiWeb appliances within their environments. By simulating the authentication bypass mechanism, the script generates a unique username and password, sends an exploit payload to the target IP, and confirms vulnerability by creating a temporary user if successful. This proactive approach enables administrators to detect and remediate vulnerabilities swiftly.
Organizations are strongly advised to prioritize scanning their internet-facing appliances using this detection tool, apply the recommended patches without delay, and monitor for any anomalous login activities. As cyber threats continue to evolve, leveraging such tools is crucial in maintaining robust defense mechanisms and preventing unauthorized access through exploited vulnerabilities.
