A recently uncovered path traversal vulnerability in Fortinet’s FortiWeb web application firewall is now being exploited globally, allowing attackers to create new administrative accounts on unpatched devices without authentication. Security researchers warn that the flaw is severe, easy to exploit, and being used in automated mass attacks.
The vulnerability—fixed in FortiWeb version 8.0.2—was first observed in early October when researchers at Defused detected unknown attackers using an exploit to silently generate administrator-level accounts on publicly exposed devices.
“We are seeing multiple attacker-created admin accounts across victims, confirming automated exploitation and global scanning activity.”
Researchers Observe Global Scanning and Unauthorized Account Creation
New analysis published by Daniel Card of PwnDefend and the Defused research team shows that attackers are abusing a path traversal flaw affecting the following endpoint:/api/v2.0/cmdb/system/admin%3f/../../../../../cgi-bin/fwbcgi
By sending crafted HTTP POST requests to this path, threat actors can bypass authentication and instruct the device to generate local admin-level accounts. The exploitation involves payloads that insert preconfigured usernames and passwords directly into the system’s configuration.
Researchers have identified multiple malicious accounts created across compromised systems. Observed usernames include Testpoint, trader1, and trader, with passwords such as 3eMIXX43, AFT3$tH4ck, and AFT3$tH4ckmet0d4yaga!n.
The attacks are originating from a wide range of IP addresses, including:
- 107.152.41.19
- 144.31.1.63
- IP blocks within 185.192.70.0/24
- 64.95.13.8 (observed in initial October activity)
Security firm watchTowr Labs independently confirmed the exploit by demonstrating how a failed login attempt could be followed by the exploit—and then a successful login using the newly created admin credentials. The company also released an artifact-generation tool to help defenders detect whether their FortiWeb systems are vulnerable.
Rapid7’s testing indicates that all FortiWeb 8.0.1 and earlier versions are affected. The patched release, version 8.0.2, is believed to have been issued at the end of October, although Fortinet has not yet published any advisory on its PSIRT page confirming the vulnerability or assigning a CVE ID.
Administrators Urged to Patch Immediately and Review for Signs of Intrusion
Because active exploitation is already underway, defenders are being advised to take immediate action. This includes applying the latest firmware update and reviewing systems for unauthorized administrative accounts—even if the devices appear to be functioning normally.
“Organizations should assume that any exposed FortiWeb appliance running a vulnerable version has already been scanned and potentially targeted,” researchers warn.
Admins are encouraged to:
- Update to FortiWeb 8.0.2 without delay
- Review administrative user lists for unexpected accounts
- Inspect logs for requests reaching the fwbcgi path
- Block public internet access to management interfaces
- Restrict access to trusted networks or VPN-only channels
Fortinet has not yet responded to media inquiries regarding the vulnerability or its exploitation.
As attackers accelerate scanning and automate exploitation, security teams are urged to act quickly. Even a brief exposure window could allow adversaries to gain privileged access and use affected devices as a foothold into corporate environments.
