A severe security vulnerability in Fortinet’s FortiWeb web application firewall is currently being actively exploited, allowing attackers to bypass authentication and create unauthorized administrator accounts. This zero-day flaw, identified as a path traversal vulnerability, has been observed in the wild since early October, impacting FortiWeb versions 8.0.1 and earlier.
The successful exploitation of this vulnerability grants unauthenticated attackers significant control over compromised systems. Fortinet silently rolled out a fix in its FortiWeb version 8.0.2 release around October 24, 2025, without issuing a public advisory or providing detailed disclosure of the flaw.
Discovery and Exploitation Details
Threat intelligence company, Defused, first detected an “unknown Fortinet exploit” on October 6, 2025. This initial observation pointed to a sophisticated attack method aimed at creating illicit administrator accounts on affected systems. Reports indicate a growing frequency of these attacks since their first detection, highlighting the urgent need for organizations to implement protective measures.
Further investigation by PwnDefend, in collaboration with Defused, confirmed the vulnerability as a path traversal flaw. This type of vulnerability allows attackers to access files and directories outside of the intended root directory, ultimately leading to unauthorized administrative access in this scenario.
Independent Corroboration and Proof-of-Concept
WatchTowr Labs, another cybersecurity research firm, independently verified the active exploitation. Researchers from WatchTowr Labs showcased the exploit in a video demonstration, successfully logging in with an administrator account created through the vulnerability. They subsequently released a Proof-of-Concept (PoC) tool, the FortiWeb Authentication Bypass Artifact Generator, to illustrate the vulnerability by attempting to create an administrator account using an arbitrary eight-character username.
Leading cybersecurity firm, Rapid7, issued an “Attacker-Observed Exploitation” (AOE) alert, emphasizing the critical nature of the flaw. Their tests confirmed that FortiWeb versions 8.0.1 and earlier are vulnerable to these attacks. Rapid7’s findings align with reports suggesting the vulnerability was quietly patched in FortiWeb version 8.0.2, a release that notably lacked any public disclosure from Fortinet regarding the vulnerability or its remediation.
Concerns and Recommendations
The absence of a public advisory from Fortinet has raised concerns within the cybersecurity community, as it limits the visibility and immediate response capabilities of affected organizations. Users of FortiWeb are strongly advised to verify their installed versions and update to FortiWeb 8.0.2 or later to protect against this actively exploited zero-day vulnerability.