Overview
A critical vulnerability in Fortinet’s FortiWeb Web Application Firewall (WAF) has been actively exploited in the wild. On October 6, 2025, the cyber deception company Defused released a proof-of-concept exploit on social media that was captured by one of their FortiWeb Manager honeypots. This flaw allows attackers to bypass FortiWeb’s security measures, granting them administrator-level access to the FortiWeb Manager panel and the websocket command-line interface.
FortiWeb is designed to detect and block malicious traffic aimed at web applications. However, exploitation of this vulnerability in versions prior to 8.0.2 enables attackers to gain unauthorized access to critical management functions, posing significant risks to affected systems.
Rapid7 Observations
While Rapid7 has tested FortiWeb version 8.0.2 and confirmed that the public exploit fails against this version, earlier versions (such as 8.0.1, released in August 2025) remain vulnerable. Rapid7 has also identified a separate exploit for sale on black hat forums, which coincidentally surfaced in November, though it is unclear whether this is related to the current vulnerability. More information you find here:
Mitigation Guidance
As of November 13, 2025, Fortinet has not issued official remediation guidance, and no CVE has been assigned to this vulnerability. Rapid7 recommends immediate action to mitigate the risk:
- Update to Version 8.0.2: Organizations running versions older than 8.0.2 should upgrade to the latest release as it appears to fix the vulnerability.
- Limit Management Interface Exposure: If upgrading is not immediately feasible, it is strongly advised to remove the FortiWeb management interface from the public internet to limit potential attack vectors.
Exploitation Behavior
The exploitation of this vulnerability varies across different FortiWeb versions. When an attacker targets FortiWeb 8.0.1, they can successfully create a malicious local administrator account (e.g., “hax0r”) through the exploit.
Conclusion
The critical vulnerability in FortiWeb has been actively exploited since October 2025, with targeted attacks likely expanding as more details become public. Fortinet users should prioritize upgrading to the latest version, 8.0.2, and follow best practices for limiting management interface exposure. Until official vendor guidance is available, continue monitoring Fortinet’s PSIRT feed for further updates and remediation steps.
For more details and future updates, please follow the Fortinet PSIRT feed or contact Rapid7 for expert support.