InfoSecBulletin Cybersecurity for mankind
A Fortinet FortiWeb vulnerability is being exploited to create new admin users on exposed devices without any authentication. The issue is fixed in FortiWeb 8.0.2, and admins are urged to update as soon as possible and check for signs of unauthorized access.
Threat intelligence firm Defused discovered an “Unknown Fortinet exploit” targeting exposed devices to create admin accounts on October 6.
CISA: Splunk flaw under active exploit, patch by Sunday
Texas data breach exposes 3 million driver’s licenses
Critical Cisco ISE Vulnerability Enables Remote Code Execution
F5 Patches NGINX Flaw for Code Execution and DoS Attacks
FortiBleed: 70,000 Fortinet Firewalls Compromised Globally
New Rokarolla Android malware hits 217 banking and crypto apps
Phishing Campaign Exploits Legitimate Microsoft Login Flow
ALERT
Cisco SD-WAN Zero-Day, FortiSandbox and cPanel flaws exploited in attacks
“Panthalassa” builds floating AI data centers powered by ocean waves
Critical Wazuh Vuln Enables Alert Tampering and Evidence Deletion
According to new research published by Daniel Card of PwnDefend and Defused, the flaw is a path traversal issue affecting the following Fortinet endpoint: (/api/v2.0/cmdb/system/admin%3f/../../../../../cgi-bin/fwbcgi)
Threat actors are sending HTTP POST requests to this path containing payloads that create local admin-level accounts on the targeted device.
Researchers found multiple sets of usernames and passwords like Testpoint, trader1, and trader, with passwords including 3eMIXX43, AFT3$tH4ck, and AFT3$tH4ckmet0d4yaga!n.
The attacks originated from a wide range of IP addresses, including:
107.152.41.19
144.31.1.63
Addresses in the 185.192.70.0/24 range
64.95.13.8 (from original October report)
Security researchers at watchTowr Labs have verified the exploit, sharing a video on X that shows a failed FortiWeb login attempt, the exploit execution, and the successful login as the new admin user.
watchTowr also released a tool called “FortiWeb Authentication Bypass Artifact Generator,” which attempts to exploit the flaw by creating an admin user with an 8-character random username derived from a UUID.
The tool was released to help defenders identify vulnerable devices.
Rapid7 reports that the flaw impacts FortiWeb versions 8.0.1 and earlier. It was resolved in version 8.0.2, released at the end of October.
BleepingComputer reported an inability to find any disclosure of a FortiWeb vulnerability on Fortinet’s PSIRT site that matches the one being exploited.
WatchTowr Labs’ open-source tool, hosted on GitHub at watchTowr-vs-Fortiweb-AuthBypass, simplifies detection by simulating the bypass mechanism. The Python script generates a unique username and password (e.g., “35f36895”) and sends an exploit payload to the target IP, such as python watchTowr-vs-Fortiweb-AuthBypass.py 192.168.1.99.
Source: Defused, pwndefend, Daniel_Card, BleepingComputer
