CVE-2025-52970 - Fortinet FortiWeb Auth Bypass Actively Exploited

CVE-2025-52970 impacts Fortinet FortiWeb web application firewall appliances running FortiWeb 8.0.1 and earlier, enabling an authentication bypass that attackers are actively exploiting to create local admin users. Researchers observed FortiWeb management endpoints being hit with crafted HTTP POST requests to a path traversal API endpoint that results in unauthorized creation of administrator accounts without valid credentials. This Fortinet FortiWeb vulnerability aligns with MITRE ATT&CK techniques T1190 (Exploit Public-Facing Application) for initial access and T1136 (Create Account) for persistence. Fortinet fixed the flaw in FortiWeb 8.0.2, but exploitation surged once public proof-of-concept and defender tooling appeared. The attack targets the api endpoint that encodes as admin%3f and uses path traversal to reach an internal CGI handler that processes administrative actions. Threat actors send POST payloads that instruct the device to create new admin-level accounts such as Testpoint or trader1 with complex passwords designed to look legitimate. Telemetry shows exploit traffic originating from a wide range of IP addresses, indicating scanning and spraying behavior rather than targeted campaigns. WatchTowr Labs and Defused both validated the exploit and released a FortiWeb authentication bypass artifact generator to help defenders identify exposed and vulnerable instances. For organizations relying on Fortinet FortiWeb as a critical WAF in front of public web applications, compromise of the appliance undermines confidence in HTTP filtering, TLS termination and any virtual patching in place. Attackers with admin access can modify rules, disable protections, intercept or tamper with traffic and pivot into internal networks behind the WAF. Where FortiWeb devices process personal or payment data, unauthorized access and traffic inspection may trigger GDPR, PCI-DSS or sectoral breach notification requirements even if the underlying application servers are not directly compromised. Fortinet has addressed CVE-2025-52970 in FortiWeb 8.0.2 and later, and administrators should immediately upgrade all internet-facing appliances and verify running versions. Defenders should review FortiWeb configuration for unknown admin accounts, search logs for requests referencing the fwbcgi path and block direct management access from the internet in favor of VPN-only workflows. Organizations unable to patch immediately should apply tight access controls, monitor for suspicious logins and consider temporary compensating controls such as external reverse proxies while they accelerate migration off vulnerable releases.