{"id":654,"date":"2025-11-17T19:45:15","date_gmt":"2025-11-17T18:45:15","guid":{"rendered":"https:\/\/lars-hilse.de\/lhx18\/?p=654"},"modified":"2025-11-17T19:45:16","modified_gmt":"2025-11-17T18:45:16","slug":"critical-fortinet-fortiweb-zero-day-actively-exploited-since-october-attackers-creating-admin-accounts","status":"publish","type":"post","link":"https:\/\/lars-hilse.de\/lhx18\/2025\/11\/critical-fortinet-fortiweb-zero-day-actively-exploited-since-october-attackers-creating-admin-accounts\/","title":{"rendered":"Critical Fortinet FortiWeb Zero-Day Actively Exploited Since October – Attackers Creating Admin Accounts"},"content":{"rendered":"
<\/div>\n

<\/h1>\n\n\n\n

Oh Fortinet, you beautiful disaster. Just when enterprises thought their web application firewalls were protecting them, here comes a critical zero-day that’s been getting hammered since early October. And the best part? Attackers are creating admin accounts with passwords like “AFT3$tH4ck” and “AFT3$tH4ckmet0d4yaga!n”. I mean, at least they’ve got a sense of humor about it.<\/p>\n\n\n\n

What the Hell Happened<\/h2>\n\n\n\n

CVE-2025-64446 is a path traversal vulnerability combined with an authentication bypass in Fortinet’s FortiWeb web application firewall. CVSS score? A lovely 9.1 to 9.8 depending on who’s scoring. That’s “drop everything and patch this shit immediately” territory.<\/p>\n\n\n\n

The flaw affects FortiWeb versions 8.0.1 and earlier, and here’s the fun part: it’s unauthenticated. Meaning any asshole on the internet can exploit it without needing credentials first.<\/p>\n\n\n\n

Threat intelligence firm Defused first spotted exploitation on October 6, 2025. Since then, attacks have escalated significantly, with threat actors now spraying the exploit globally.<\/p>\n\n\n\n

The Technical Breakdown (For the Nerds)<\/h2>\n\n\n\n

The vulnerability lives in this delightful endpoint:<\/p>\n\n\n\n

\/api\/v2.0\/cmdb\/system\/admin%3f\/..\/..\/..\/..\/..\/cgi-bin\/fwbcgi\n<\/code><\/pre>\n\n\n\n
Attackers are sending crafted HTTP POST requests to this path that allow them to create local admin-level accounts on the targeted FortiWeb device. No authentication required. Just send the payload and boom, you’ve got admin access.<\/p>\n\n\n\n
According to researchers at watchTowr Labs, PwnDefend, and Defused, the exploitation includes creating accounts with usernames like:<\/p>\n\n\n\n
    \n
  • Testpoint<\/code><\/li>\n\n\n\n
  • trader1<\/code>  <\/li>\n\n\n\n
  • trader<\/code><\/li>\n<\/ul>\n\n\n\n
    With passwords including:<\/p>\n\n\n\n
      \n
    • 3eMIXX43<\/code><\/li>\n\n\n\n
    • AFT3$tH4ck<\/code><\/li>\n\n\n\n
    • AFT3$tH4ckmet0d4yaga!n<\/code><\/li>\n<\/ul>\n\n\n\n
      watchTowr even posted a video demonstrating the exploit: failed login attempt, exploit execution, successful login as the newly created admin user. They also released a tool called “FortiWeb Authentication Bypass Artifact Generator” to help defenders identify vulnerable devices.<\/p>\n\n\n\n
      Who’s Behind This?<\/h2>\n\n\n\n
      The attacks are coming from a wide range of IP addresses, including:<\/p>\n\n\n\n
        \n
      • 107.152.41.19<\/li>\n\n\n\n
      • 144.31.1.63<\/li>\n\n\n\n
      • Multiple addresses in the 185.192.70.0\/24 range<\/li>\n\n\n\n
      • 64.95.13.8 (from the original October report)<\/li>\n<\/ul>\n\n\n\n
        This suggests multiple threat actors are actively exploiting the flaw, which makes sense given that working exploit code is now publicly available.<\/p>\n\n\n\n
        CISA Is Pissed<\/h2>\n\n\n\n
        CISA added CVE-2025-64446 to their Known Exploited Vulnerabilities (KEV) catalog, which means federal agencies have a tight deadline to patch or remove affected systems. When CISA adds something to the KEV, you know it’s being actively abused in the wild.<\/p>\n\n\n\n
        The Patch Situation<\/h2>\n\n\n\n
        Fortinet reportedly fixed the vulnerability in FortiWeb version 8.0.2, which appears to have been released at the end of October. But here’s where it gets weird: as of mid-November, there was no public disclosure of this vulnerability on Fortinet’s PSIRT site<\/strong>.<\/p>\n\n\n\n
        BleepingComputer reached out to Fortinet for comment and got… crickets, apparently. So we’ve got a critical zero-day, active exploitation, a patch released, CISA involvement, and Fortinet’s official vulnerability disclosure site has nothing. Classic.<\/p>\n\n\n\n
        Update: Fortinet eventually released an advisory, but the delay in public communication is concerning for a vulnerability this critical.<\/p>\n\n\n\n
        What You Need to Do Right Fucking Now<\/h2>\n\n\n\n
        If you’re running FortiWeb in your environment, here’s your action plan:<\/p>\n\n\n\n
        1. Update immediately to FortiWeb 8.0.2 or later.<\/strong> I don’t care if it’s Sunday. I don’t care if you’re on vacation. Patch this thing.<\/p>\n\n\n\n
        2. Review your devices for unusual administrative accounts.<\/strong> Check for accounts named things like “trader1” or “Testpoint” or anything you didn’t create.<\/p>\n\n\n\n
        3. Check logs for requests to the fwbcgi<\/code> path.<\/strong> If you see suspicious POST requests to \/api\/v2.0\/cmdb\/system\/admin<\/code> with path traversal attempts, you’ve likely been hit.<\/p>\n\n\n\n
        4. Investigate activity from the known malicious IP addresses<\/strong> listed above.<\/p>\n\n\n\n
        5. Make damn sure your FortiWeb management interfaces are not accessible from the internet.<\/strong> They should be restricted to trusted networks or VPN-only access. If your WAF management panel is publicly reachable, you’re doing it wrong.<\/p>\n\n\n\n
        The Bigger Picture<\/h2>\n\n\n\n
        This is yet another reminder that security appliances themselves are juicy targets. Fortinet has had a rough few years with vulnerabilities in FortiOS, FortiGate, FortiNAC, and now FortiWeb.<\/p>\n\n\n\n
        When your web application firewall\u2014the thing that’s supposed to protect<\/strong> your web apps\u2014gets pwned, that’s a special kind of irony. It’s like hiring a bodyguard who turns out to be working for the mob.<\/p>\n\n\n\n
        And let’s talk about the elephant in the room: vendor transparency<\/strong>. If you’re Fortinet and you’ve got a critical zero-day being actively exploited, maybe\u2014just maybe\u2014you should put that information on your official security advisory page? Revolutionary concept, I know.<\/p>\n\n\n\n
        The researchers and security community had to piece this together from threat intelligence, honeypots, and independent testing. That’s not how this should work.<\/p>\n\n\n\n
        Lessons Learned (That We Keep Having to Relearn)<\/h2>\n\n\n\n
        Security appliances need security too.<\/strong> Just because something is marketed as a security product doesn’t mean it’s magically immune to vulnerabilities.<\/p>\n\n\n\n
        Management interfaces should never be internet-facing.<\/strong> I will die on this hill. There is no good reason your firewall admin panel needs to be reachable from the public internet.<\/p>\n\n\n\n
        Patch quickly, but also verify.<\/strong> Update to 8.0.2, yes, but also check for indicators of compromise. If attackers created admin accounts before you patched, those accounts will still be there after the patch.<\/p>\n\n\n\n
        Monitor your security infrastructure.<\/strong> Your SIEM should be watching your FortiWeb just as closely as it watches everything else. Configuration changes, new admin accounts, unusual API calls\u2014all of that should generate alerts.<\/p>\n\n\n\n
        Stay paranoid, my friends. And maybe double-check who actually has admin access to your security appliances.<\/p>\n\n\n\n
        Newsletter Teaser:<\/strong><\/p>\n\n\n\n
        Your FortiWeb WAF Might Be Working for the Bad Guys<\/strong><\/p>\n\n\n\n
        <\/p>\n
        <\/div>","protected":false},"excerpt":{"rendered":"
        Fortinet’s got another critical zero-day on its hands (CVE-2025-64446), and this one’s a doozy. Attackers have been exploiting an unauthenticated path traversal flaw in FortiWeb since early October to create admin accounts\u2014complete with cheeky passwords like “AFT3$tH4ck.” CVSS 9.8. CISA KEV-listed. Actively exploited. If you’re running FortiWeb 8.0.1 or earlier and haven’t patched to 8.0.2 yet, drop everything and do it now. Then check your device for unauthorized admin accounts. Full breakdown inside. <\/p>\n","protected":false},"author":1,"featured_media":655,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[71,2,8],"tags":[227,223,228,219,218,226,221,225,217,224,216,220,222],"class_list":{"0":"post-654","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","6":"hentry","7":"category-application-security","8":"category-cyber-security","9":"category-global-risks","10":"tag-actively-exploited-vulnerability-2025","11":"tag-cisa-kev-catalog","12":"tag-critical-cvss-vulnerability","13":"tag-cve-2025-64446","14":"tag-fortinet-fortiweb-vulnerability","15":"tag-fortinet-psirt","16":"tag-fortinet-security-flaw","17":"tag-fortiweb-admin-account-creation","18":"tag-fortiweb-authentication-bypass","19":"tag-fortiweb-patch-8-0-2","20":"tag-fortiweb-zero-day-exploit","21":"tag-path-traversal-vulnerability","22":"tag-web-application-firewall-exploit","24":"fallback-thumbnail"},"jetpack_featured_media_url":"https:\/\/i0.wp.com\/lars-hilse.de\/lhx18\/wp-content\/uploads\/2025\/11\/Critical-Fortinet-FortiWeb-ZeroDay-Actively-Exploited-Since-October--Attackers-Creating-Admin-Accounts.png?fit=960%2C640&ssl=1","jetpack_sharing_enabled":true,"jetpack_shortlink":"https:\/\/wp.me\/paluiP-ay","jetpack_likes_enabled":true,"jetpack-related-posts":[],"_links":{"self":[{"href":"https:\/\/lars-hilse.de\/lhx18\/wp-json\/wp\/v2\/posts\/654","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/lars-hilse.de\/lhx18\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/lars-hilse.de\/lhx18\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/lars-hilse.de\/lhx18\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/lars-hilse.de\/lhx18\/wp-json\/wp\/v2\/comments?post=654"}],"version-history":[{"count":1,"href":"https:\/\/lars-hilse.de\/lhx18\/wp-json\/wp\/v2\/posts\/654\/revisions"}],"predecessor-version":[{"id":656,"href":"https:\/\/lars-hilse.de\/lhx18\/wp-json\/wp\/v2\/posts\/654\/revisions\/656"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/lars-hilse.de\/lhx18\/wp-json\/wp\/v2\/media\/655"}],"wp:attachment":[{"href":"https:\/\/lars-hilse.de\/lhx18\/wp-json\/wp\/v2\/media?parent=654"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/lars-hilse.de\/lhx18\/wp-json\/wp\/v2\/categories?post=654"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/lars-hilse.de\/lhx18\/wp-json\/wp\/v2\/tags?post=654"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}