FortiWeb Authentication Bypass Vulnerability Allows Attackers to Gain Unauthorized Access as Any Existing User

A critical authentication bypass vulnerability, tracked as CVE-2025-52970, has been identified in FortiWeb, allowing unauthenticated remote attackers to impersonate any existing user on affected systems. This vulnerability, which has a CVSS score of 7.7, affects multiple versions of FortiWeb, specifically versions 7.0.0 to 7.0.10, 7.2.0 to 7.2.10, 7.4.0 to 7.4.7, and 7.6.0 to 7.6.3, while FortiWeb 8.0 remains unaffected. The issue arises from improper parameter handling in the cookie parsing mechanism, where attackers can manipulate the “Era” parameter to force the system to read uninitialized memory locations. This exploitation can lead to the use of null or zero-filled encryption keys, effectively reducing the cryptographic security to zero and allowing attackers to bypass authentication and log in as any user.

The vulnerability exploits an out-of-bounds read condition in FortiWeb’s cookie handling code, specifically related to CWE-233, which involves improper handling of parameters. During cookie parsing, the system uses the “Era” parameter to select encryption keys from a shared memory array without adequate validation. By manipulating the Era parameter to values between 2 and 9, attackers can guarantee that the encryption key is all zeros. Security researcher Aviv Y demonstrated this vulnerability with a proof-of-concept targeting the /api/v2.0/system/status.systemstatus endpoint, successfully impersonating an admin through crafted cookie requests. To mitigate this vulnerability, organisations are advised to upgrade to patched versions: 7.0.11+, 7.2.11+, 7.4.8+, or 7.6.4+. Exploitation requires specific conditions, including knowledge of non-public device information and an active user session, with the attack complexity involving brute-forcing an unknown validation number through the refresh_total_logins() function, typically needing fewer than 30 attempts. 

Categories: Authentication Vulnerability, Cookie Manipulation, FortiWeb Security 

Tags: Authentication Bypass, CVE-2025-52970, FortiWeb, Cookie Parsing, Encryption Keys, Out-of-Bounds Vulnerability, CWE-233, Session Cookie, Exploit Prerequisites, Mitigations