FortiWeb Flaw Actively Exploited to Create Rogue Admin Accounts

A recently disclosed path traversal vulnerability in Fortinet FortiWeb has led to widespread, active exploitation in the wild. 

The flaw — now fixed in FortiWeb version 8.0.2 — allows unauthenticated threat actors to create administrative accounts on exposed FortiWeb devices. 

Security researchers urge organizations to update immediately and review systems for evidence of compromise, as exploitation continues to increase across the globe.

Researchers Uncover FortiWeb Path Traversal Flaw

The vulnerability was first observed by Defused, a threat intelligence firm, on October 6, when researchers identified an “unknown Fortinet exploit” being used to create unauthorized administrative accounts. 

Subsequent analysis by researchers at PwnDefend confirmed that the flaw is a path traversal issue within a Fortinet endpoint located at the following:

/api/v2.0/cmdb/system/admin%3f/../../../../../cgi-bin/fwbcgi

Through crafted HTTP POST requests to this path, attackers can bypass authentication controls and push payloads that generate new administrator-level accounts on targeted devices. The issue impacts FortiWeb versions 8.0.1 and earlier.

Evidence of Active FortiWeb Exploitation

Researchers have observed multiple usernames and passwords created through this attack vector, including administrative accounts such as Testpoint, trader1, and trader. 

Passwords linked to malicious account creation include 3eMIXX43, AFT3$tH4ck, and AFT3$tH4ckmet0d4yaga!n. 

The campaigns appear to originate from numerous IP addresses, including 107[.]152[.]41[.]19, 144[.]31[.]1[.]63, addresses in the 185[.]192[.]70[.]0/24 block, and 64[.]95[.]13[.]8, the latter referenced in the October reporting.

watchTowr Labs researchers have independently validated the exploit’s functionality. 

In a demonstration video posted to X, researchers showed a failed FortiWeb login attempt, execution of the path traversal exploit, and subsequent successful authentication using a newly created admin account. 

watchTowr has since released a defensive tool — FortiWeb Authentication Bypass Artifact Generator — designed to help organizations test their own appliances for vulnerability by attempting to generate a randomized administrative username.

Hardening FortiWeb Against Active Attacks

Organizations facing active exploitation of the FortiWeb vulnerability should take immediate steps to harden their environments and reduce exposure.

• Update FortiWeb to version 8.0.2 or later.
• Audit administrative accounts and review logs for unauthorized users, suspicious fwbcgi path requests, and abnormal administrative activity.
• Monitor network traffic for connections from known malicious IPs and use SIEM tools to correlate anomalies or repeated POST requests.
• Restrict management interface exposure by limiting access to trusted networks, enforcing VPN-only administration, and applying strict ACLs.
• Strengthen network architecture using segmentation and continuous vulnerability scanning to reduce attack pathways and detect exposed services.
• Enhance authentication and awareness by enforcing MFA for administrative access and staying current with vendor advisories and threat intelligence.

These steps help reduce the risk of unauthorized access and limit the impact of emerging FortiWeb exploitation campaigns.

The active exploitation of the FortiWeb path traversal flaw highlights the continued targeting of network security appliances by threat actors seeking privileged access. 

While a fix is available in FortiWeb 8.0.2, the volume of exploitation attempts suggests many devices remain unpatched. 

Organizations should prioritize updates, conduct thorough log reviews, and strengthen controls around management interface exposure to reduce the likelihood of compromise and to prevent unauthorized administrative account creation.

These ongoing risks underscore why adopting zero-trust principles is essential for building cyber resilience.