The Fortinet FortiWeb WAF suffers from a critical authentication bypass vulnerability that has been actively exploited in the wild. The vulnerability is a combination of two flaws: a path traversal vulnerability in the HTTP request targeting the "/api/v2.0/cmdb/system/admin%3F/../../../../../cgi-bin/fwbcgi" endpoint, and an authentication bypass via the CGIINFO HTTP request header. The "fwbcgi" binary processes the CGIINFO header by decoding a Base64-encoded JSON blob containing user attributes such as username, profile name, virtual domain, and login name. By crafting this JSON with values corresponding to the built-in admin account (username "admin", profname "prof_admin", vdom "root", loginname "admin"), an attacker can impersonate the admin user without valid credentials. This allows the attacker to perform any privileged action, including creating new administrator accounts for persistence. Exploitation involves sending a malicious HTTP POST request with the crafted CGIINFO header to the vulnerable endpoint. The flaw was silently patched in FortiWeb version 8.0.2, but many devices remain unpatched and vulnerable. Security researchers have reproduced the vulnerability and released proof-of-concept tools to detect susceptible devices. The attacks are indiscriminate and ongoing, with multiple attacker-created admin accounts detected in the wild. No CVE has been assigned yet, and Fortinet has not published an official advisory. Rapid7 reported a zero-day exploit for sale on a black hat forum, possibly related. The vulnerability poses a severe risk of full device compromise, unauthorized access, and potential lateral movement within networks protected by FortiWeb appliances.

For European organizations, the impact of this vulnerability is significant. FortiWeb appliances are widely deployed in Europe for web application security, protecting critical infrastructure, government services, financial institutions, and enterprises. Successful exploitation allows attackers to gain full administrative control over the WAF, enabling them to disable protections, manipulate traffic, and potentially pivot to internal networks. This can lead to data breaches, service outages, and loss of trust. The creation of persistent admin accounts complicates incident response and forensic investigations. Given the indiscriminate nature of attacks and the availability of proof-of-concept exploits, unpatched European organizations face high risk of compromise. The threat is particularly acute for sectors with high-value targets such as finance, healthcare, and public administration. Additionally, attackers could leverage compromised WAFs to facilitate further attacks like injection, data exfiltration, or ransomware deployment, amplifying the overall impact.

European organizations should immediately verify their FortiWeb appliance versions and apply the official patch in version 8.0.2 or later. If patching is not immediately possible, network-level mitigations such as restricting access to the management interface and the vulnerable API endpoint to trusted IPs should be enforced. Organizations should conduct thorough forensic analysis to detect any signs of compromise, including the presence of unauthorized admin accounts with suspicious usernames. Monitoring HTTP POST requests to the vulnerable endpoint and inspecting CGIINFO headers for anomalies can help detect exploitation attempts. Deploying Web Application Firewall logs and SIEM correlation rules to alert on suspicious admin account creation is recommended. Organizations should also review and tighten access controls and credentials for FortiWeb appliances. Engaging with Fortinet support for guidance and updates is advised. Finally, organizations should educate their security teams about this threat to ensure rapid detection and response.