A serious security warning has been raised for users of Fortinet FortiWeb Web Application Firewall (WAF). Cybersecurity researchers have discovered an authentication bypass vulnerability that allowed attackers to create admin accounts, take full control of FortiWeb devices, and potentially compromise entire networks. The most worrying part is that this security flaw was already being actively exploited in the wild before many organizations even knew about it.
According to researchers, the vulnerability was silently patched by Fortinet in version 8.0.2, but many devices are still running older versions and are highly vulnerable to attacks. As a result, security experts are advising all organizations to treat this issue as a high-severity incident and take immediate action.
Benjamin Harris, CEO and founder of watchTowr, confirmed that attackers are actively exploiting this flaw in live environments.
The company noticed widespread and indiscriminate attack attempts, meaning hackers are not targeting specific organizations—they are attacking any vulnerable FortiWeb device they can find.
According to Harris:
“The vulnerability allows attackers to perform actions as a privileged user, and most attacks we observed were focused on adding a new administrator account to maintain long-term access.”
This admin account creation gives attackers persistent backdoor access, even if the system is rebooted or temporary security controls are applied.
The watchTowr team was able to reproduce the vulnerability and develop a proof-of-concept (PoC) exploit. They also released an artifact generator tool to help organizations detect whether their FortiWeb appliances are vulnerable.
Meanwhile, independent cybersecurity researchers from Defused and Daniel Card of PwnDefend shared additional technical details. They found that attackers were sending a specially crafted payload to the following endpoint:
Cybersecurity company Rapid7 issued an urgent warning. Their team discovered that on November 6, 2025, a supposed zero-day exploit for FortiWeb was put up for sale on a well-known black-hat hacking forum.
While it is currently unclear whether this exploit is the same one seen in the ongoing attacks, the timing strongly suggests a connection.
Rapid7 is urging all organizations running any version of FortiWeb older than 8.0.2 to consider this a critical emergency and patch immediately.
WatchTowr’s Harris emphasized that companies must act quickly:
“Users now face a familiar process: look for signs of compromise, contact Fortinet for more information, and install available patches immediately.”
He also warned that because attackers have been exploiting this vulnerability openly and without targeting specific victims, devices that are still unpatched are “likely already compromised.”
This means companies should not only patch but also:
-
Review system logs for strange admin accounts
-
Scan for unusual network activity
-
Change all administrative credentials
-
Consider a full forensic investigation if any suspicious signs are detected
The Fortinet FortiWeb authentication bypass flaw is a high-risk vulnerability that is already being used by attackers to take over devices worldwide. Since the exploit allows hackers to create admin accounts silently, the attack is extremely dangerous and easy to miss.
Recommended actions:
-
Upgrade to FortiWeb version 8.0.2 or higher immediately.
-
Check logs for unexpected admin accounts.
-
Perform a thorough security audit.
-
Monitor Fortinet’s PSIRT feeds for official updates.
With attackers exploiting this vulnerability widely, organizations must act now to protect their networks and prevent unauthorized access.
Immediately apply the latest security updates, check systems for unknown admin accounts, review logs for suspicious activity, reset all administrator passwords, and run a full security audit. Continue monitoring official security advisories and assume possible compromise if your devices were unpatched during the active exploitation period and further harm to your organisation.
Interesting Article : Microsoft Issues Urgent Fix for Actively Exploited Windows Zero-Day
Pingback: $220M Cyberattack Hits Jaguar Land Rover: Production Halt and Major Losses