FortiWeb Path Traversal, Authentication Bypass, and Admin-User Creation Exploited in the Wild

Discovered: October 10th, 2025 (first exploitation observed)

Impacted Tech: Fortinet FortiWeb (WAF) Manager / Appliances – versions 8.0.1 and earlier (fixed in 8.0.2)

Summary:
A path-traversal and authentication bypass vulnerability allows unauthenticated attackers to create local administrative accounts through the FortiWeb management interface. Once exploited, an attacker effectively gains full control of the WAF appliance – enabling persistent access, unauthorized configuration changes, and potential lateral movement deeper into the environment. This weakness is already being exploited in the wild, and a public proof-of-concept is circulating.

Technical Details:

The following weaknesses, when chained, allow for complete compromise of the vulnerable FortiWeb appliance:

1. Path traversal to internal CGI endpoints: By starting with a valid FortiWeb API path, an attacker can traverse to another internal CGI executable (fwbcgi). If the endpoint located at:

/api/v2.0/cmdb/system/admin/../../../../../cgi-bin/fwbcgi

1. Authentication bypass via the impersonation handler: Once the attacker reaches fwbcgi, FortiWeb fails to enforce authentication checks on certain code paths that handle user impersonation. This allows an unauthenticated request to invoke administrative actions directly, specifically, the creation of new local admin users with unrestricted permissions. Attackers observed in the wild are using this to drop accounts such as “Testpoint,” “trader1,” and similar operator-style usernames.

Verify Exposure:
1. Check whether the FortiWeb management interface is reachable from the internet.

2. Attempt a “safe” API path traversal test: send a POST request to /api/v2.0/cmdb/system/admin%3f/../../../../../cgi-bin/fwbcgi. An HTTP 200 response indicates exposure and potential exploitability.

Interim Mitigation Measures:

• Update all FortiWeb appliances to version 8.0.2 or later, which appears to block the known exploit chain. (Fortinet has not yet published a formal advisory or patch note.)
• If immediate patching is not possible, restrict the management interface so it is not reachable from the internet (allow internal access only or place behind a VPN).
• Audit all admin accounts on FortiWeb for any new or unexpected local users (e.g., usernames “Testpoint”, “trader1”, “trader” detected in ongoing attacks).
• Review logs for HTTP POSTs to /cgi-bin/fwbcgi or unusual trusthost settings like 0.0.0.0/0, ::/0 assigned to newly created users.

Urgency: Critical. Exploitation has been confirmed in the wild, the attack requires no authentication, and compromise of a WAF appliance often leads to broad secondary impact – ranging from data exfiltration to lateral movement inside the network.

Additional Resources: