FortiWeb authentication bypass flaw allows admin impersonation
Take action: This vulnerability can become a very interesting exploit vector once the full PoC is published. And it's an excellent example of validating input even in cookies. In the meantime, if you're running FortiWeb versions 7.0 through 7.6, paln an update to the latest patched version (7.6.4, 7.4.8, 7.2.11, or 7.0.11 depending on your branch).
Learn More
Fortinet has patched an authentication bypass vulnerability in its FortiWeb web application firewall that allows remote attackers to bypass authentication and impersonate any user, including administrators.
The flaw is tracked as CVE-2025-52970 (CVSS score 7.7), was discovered by security researcher Aviv Y, who named the exploit "FortMajeure". The vulnerability is caused by an out-of-bounds read in FortiWeb's cookie handling and parsing code that allows an unauthenticated attacker to force the server to use a predictable, all-zero secret key for session encryption and signing.
This makes forged authentication cookies trivial to create. The researcher describes this as forcing the key to be an n-bit string of zeros, where under normal circumstances the probability of a specific key being chosen would be 1/2^n, but due to the vulnerability, this probability becomes 1.
The session cookie in FortiWeb consists of three components: an Era value indicating the session type or tenant, an encrypted Payload containing session information like username and role, and an AuthHash providing HMAC SHA-1 verification. During cookie parsing, the backend selects a secret key based on the Era value from a shared memory array, then decrypts the payload and verifies the authentication hash using that selected key.
The flaw is in the improper validation of the Era parameter, which allows attackers to set arbitrary index values beyond the expected range of 0 or 1. By supplying Era values between 2 and 9, the backend reads uninitialized memory and may use a null or zeroed key for both encryption and HMAC signing operations. This vulnerability allows attackers to craft valid session cookies that the system will accept as legitimate.
Affected versions include:
- FortiWeb versions 7.0 through 7.6
Patched versions are:
- FortiWeb 7.6.4 and later
- FortiWeb 7.4.8 and later
- FortiWeb 7.2.11 and later
- FortiWeb 7.0.11 and later
FortiWeb 8.0 releases are not impacted by this vulnerability and require no action.
The researcher demonstrated successful admin impersonation through a proof-of-concept targeting the REST endpoint /api/v2.0/system/status.systemstatus, showing complete access to system information including firmware version, operation mode, and configuration details.
Exploitation has some practical limitations:
- To successfully exploit the vulnerability, the target user must have an active session during the attack, and the attacker must brute-force a small numeric field in the cookie that is validated by the
refresh_total_logins()function. While this adds attack complexity, the researcher notes that this number typically doesn't exceed 30, creating a minimal search space requiring roughly 30 requests at most.
Aviv Y has published partial exploitation details and a proof-of-concept demonstrating the core vulnerability, but has withheld the complete exploit that includes accessing the FortiWeb CLI via the /ws/cli/open endpoint. The researcher plans to release full exploitation details later to give system administrators adequate time to apply security updates.
