Researcher Unveils Exploit for Complete Authentication Bypass on FortiWeb

ByAdmin

A security researcher has released a partial proof of concept exploit for a vulnerability in the FortiWeb Web Application Firewall that allows a remote attacker to bypass authentication. The flaw was reported responsibly to Fortinet and is now tracked as CVE-2025-52970. Fortinet released a fix on August 12. Security researcher Aviv Y named the vulnerability FortMajeure and describes it as a “silent failure that wasn’t meant to happen.” Technically, it is an out-of-bounds read in FortiWeb’s cookie parsing that lets an attacker set the Era parameter to an unexpected value. This causes the server to use an all-zero secret key for session encryption and HMAC signing, making forged authentication cookies trivial to create. Exploitation results in a full authentication bypass, allowing the attacker to impersonate any active user, including an administrator.

To exploit CVE-2025-52970 successfully, the target user must have an active session during the attack, and the adversary must brute-force a small numeric field in the cookie. The brute-forcing requirement comes from a field in the signed cookie that is validated by the function refresh_total_logins() in libncfg.so. This field is an unknown number that the attacker must guess, but the researcher notes that the range is usually not above 30, creating a tiny search space of roughly 30 requests. Because the exploit uses the all-zero key due to the Era bug, each guess can be tested instantly by checking if the forged cookie is accepted. The issue impacts FortiWeb versions 7.0 to 7.6, and was fixed in FortiWeb 7.6.4 and later, FortiWeb 7.4.8 and later, FortiWeb 7.2.11 and later, and FortiWeb 7.0.11 and later. Fortinet states in the bulletin that FortiWeb 8.0 releases are not impacted by this issue, so no action is required there.

The security bulletin lists no workarounds or mitigation advice, making upgrading to a safe version the only recommended effective action. Fortinet’s CVSS severity score of 7.7 can be deceptive, as it derives from “high attack complexity” due to the brute-forcing requirement. In practice, however, the brute-forcing part is simple and quick to perform. The researcher shared a proof of concept output, demonstrating admin impersonation on a REST endpoint. However, he withheld the complete exploit that also covers connecting to the FortiWeb CLI via /ws/cli/open. Aviv Y promised to publish the complete exploitation details later, as the vendor’s advisory has been released only recently. The researcher made this decision to allow system administrators more time to apply the fix. The published details demonstrate the core of the issue but are not sufficient for knowledgeable attackers to infer the rest and develop a full weaponised chain, according to the researcher. He explained that attackers would have to reverse engineer the format of the fields in the session, which is impractical given that Fortinet has it. 

Categories: Vulnerability Exploit, Authentication Bypass, Security Patch 

Tags: FortiWeb, Vulnerability, Authentication Bypass, CVE-2025-52970, Exploit, Cookie Parsing, Session Encryption, Brute-Force, Security Bulletin, Fortinet 

Leave a Reply

Your email address will not be published. Required fields are marked *