A critical authentication bypass vulnerability in FortiWeb allows unauthenticated remote attackers to impersonate any existing user on affected systems.
The vulnerability, tracked as CVE-2025-52970 with a CVSS score of 7.7, affects multiple FortiWeb versions and stems from improper parameter handling in the cookie parsing mechanism.
Key Takeaways
1. CVE-2025-52970 lets attackers bypass authentication to log in as any user on FortiWeb systems.
2. FortiWeb 7.0-7.6 versions are vulnerable.
3. Attackers manipulate cookie parameters to force zero-filled encryption keys.
FortiWeb Out-of-Bounds Vulnerability
The vulnerability exploits an out-of-bounds read condition in FortiWeb’s cookie handling code, specifically affecting the CWE-233 improper handling of parameters.
During cookie parsing, the system uses an “Era” parameter to select encryption keys from a shared memory array without proper validation.
The FortiWeb session cookie contains three components: the Era (session type identifier), Payload (encrypted session data including username and role), and AuthHash (HMAC SHA1 signature).
By manipulating the Era parameter to values between 2 and 9, attackers can force the system to read uninitialized memory locations, potentially resulting in the use of null or zero-filled encryption keys.
Out-of-bounds Flaw
This manipulation effectively reduces the cryptographic security to zero, as the probability of the key being all zeros changes from 1/2^n (normal circumstances) to 1 (guaranteed under exploitation).
The researcher Aviv Y demonstrated this with a proof-of-concept targeting the /api/v2.0/system/status.systemstatus endpoint, showing successful admin impersonation through crafted cookie requests.
Risk FactorsDetailsAffected Products– FortiWeb 7.0.0 – 7.0.10- FortiWeb 7.2.0 – 7.2.10- FortiWeb 7.4.0 – 7.4.7- FortiWeb 7.6.0 – 7.6.3- FortiWeb 8.0: Not AffectedImpactAuthentication bypassExploit Prerequisites– Non-public device information- Non-public targeted user information- Active user session during exploit- Brute-force validation number (~30 attempts)CVSS 3.1 Score7.7 (High Severity)
Mitigations
The vulnerability affects FortiWeb versions 7.0.0 through 7.0.10, 7.2.0 through 7.2.10, 7.4.0 through 7.4.7, and 7.6.0 through 7.6.3, while FortiWeb 8.0 remains unaffected.
Organizations must upgrade to patched versions: 7.0.11+, 7.2.11+, 7.4.8+, or 7.6.4+, respectively.
The exploit requires specific conditions, including knowledge of non-public device information and an active target user session during exploitation.
Exploit chain
Attack complexity involves brute-forcing an unknown validation number through the refresh_total_logins() function, typically requiring fewer than 30 attempts with O(N) computational cost.
Security researcher Aviv Y, who discovered this vulnerability under responsible disclosure, developed a complete exploit chain utilizing the /ws/cli/open endpoint for CLI access.
Fortinet has already released a patch for the vulnerability; users are recommended to update their systems with the patches released yesterday.
Boost your SOC and help your team protect your business with free top-notch threat intelligence: Request TI Lookup Premium Trial.
Source: cybersecuritynews.com
