A suspected Fortinet FortiWeb zero-day is actively exploited, researchers warn

A suspected (but currently unidentified) zero-day vulnerability in Fortinet FortiWeb is being exploited by unauthenticated attackers to create new admin accounts on vulnerable, internet-facing devices.

Whether intentionally or accidentally, the vulnerability (or this specific path for triggering it) has been addressed in the latest FortiWeb version (8.0.2), Rapid7 researchers confirmed.

Exploitation in the wild

Exploitation attempts were first observed at the beginning of October by threat intelligence company Defused, after one of their honeypots had been targeted.

The now publicly available proof-of-concept exploit has been tested by Rapid7 and watchTowr researchers, and the former have also published a script that can be used to detect if a specific FortiWeb is vulnerable to this authentication bypass flaw.

Fortinet hasn’t published a security advisory that might identify this vulnerability and has yet to officially comment on the matter.

What to do?

“Exploitation of this new vulnerability allows an attacker with no existing level of access to gain administrator-level access to the FortiWeb Manager panel and websocket command-line interface,” Rapid7 researchers explained.

To prevent exploitation, Fortinet customers using the web application firewall have been advised to either update to version 8.0.2 or remove their FortiWeb management interface from the public internet.

Those who haven’t done this since early October should also check for known indicators of compromise and for new, unknown admin user accounts and, if detected, should conduct a full incident investigation.

Subscribe to our breaking news e-mail alert to never miss out on the latest breaches, vulnerabilities and cybersecurity threats. Subscribe here!