“`html
Threat actors are currently exploiting a significant authentication bypass weakness in Fortinet’s FortiWeb web application firewall (WAF) across the globe, urging defenders to enhance their alertness.
Investigators at watchTowr Labs have countered by issuing a Detection Artefact Generator script, crafted to assist organizations in examining their environments for susceptible FortiWeb devices and mitigating threats promptly.
This vulnerability, identified as CVE-2025-52970, arises from inadequate parameter management in FortiWeb, allowing unauthenticated remote intruders to log in as any existing user through specially crafted requests.
With a CVSS score of 7.7, it necessitates some confidential knowledge of the device but introduces grave risks, such as privilege escalation and potential remote code execution on compromised systems.
Fortinet has rectified the vulnerability in versions 8.0.2 and beyond, yet real-world attacks have intensified since a partial proof-of-concept emerged publicly in August 2025, indiscriminately targeting exposed FortiWeb instances.
Security firms report numerous breaches, highlighting the immediate need for prompt patching amidst ongoing exploitation campaigns.
WatchTowr Labs’ open-source utility, available on GitHub at watchTowr-vs-Fortiweb-AuthBypass, facilitates detection by mimicking the bypass technique. The Python script produces a distinct username and password (e.g., “35f36895”) and dispatches an exploit payload to the targeted IP, such as python watchTowr-vs-Fortiweb-AuthBypass.py 192.168.1.99.
Upon success, it validates vulnerability by creating a temporary user, notifying administrators to address the issue. Crafted by Sina Kheirkhah (@SinSinology) and Jake Knott (@inkmoro), the script focuses on FortiWeb versions below 8.0.2, with further details accessible through FortiGuard Labs PSIRT.
Organizations need to prioritize scanning internet-facing devices, applying patches, and observing for unusual logins. As supply chain threats progress, tools like this empower proactive defenses in a threat environment where WAFs paradoxically become entry points.
“`