A important authentication bypass vulnerability in FortiWeb permits unauthenticated distant attackers to impersonate any current consumer on affected techniques.
The vulnerability, tracked as CVE-2025-52970 with a CVSS rating of seven.7, impacts a number of FortiWeb variations and stems from improper parameter dealing with within the cookie parsing mechanism.
Key Takeaways1. CVE-2025-52970 lets attackers bypass authentication to log in as any consumer on FortiWeb techniques.2. FortiWeb 7.0-7.6 variations are weak.3. Attackers manipulate cookie parameters to power zero-filled encryption keys.
FortiWeb Out-of-Bounds Vulnerability
The vulnerability exploits an out-of-bounds learn situation in FortiWeb’s cookie dealing with code, particularly affecting the CWE-233 improper dealing with of parameters.
Throughout cookie parsing, the system makes use of an “Period” parameter to pick encryption keys from a shared reminiscence array with out correct validation.
The FortiWeb session cookie comprises three elements: the Period (session kind identifier), Payload (encrypted session information together with username and position), and AuthHash (HMAC SHA1 signature).
By manipulating the Period parameter to values between 2 and 9, attackers can power the system to learn uninitialized reminiscence places, doubtlessly leading to using null or zero-filled encryption keys.
Out-of-bounds Flaw
This manipulation successfully reduces the cryptographic safety to zero, because the chance of the important thing being all zeros modifications from 1/2^n (regular circumstances) to 1 (assured below exploitation).
The researcher Aviv Y demonstrated this with a proof-of-concept concentrating on the /api/v2.0/system/standing.systemstatus endpoint, displaying profitable admin impersonation by way of crafted cookie requests.
Threat FactorsDetailsAffected Merchandise– FortiWeb 7.0.0 – 7.0.10- FortiWeb 7.2.0 – 7.2.10- FortiWeb 7.4.0 – 7.4.7- FortiWeb 7.6.0 – 7.6.3- FortiWeb 8.0: Not AffectedImpactAuthentication bypassExploit Stipulations– Personal machine information- Personal focused consumer information- Energetic consumer session throughout exploit- Brute-force validation quantity (~30 makes an attempt)CVSS 3.1 Score7.7 (Excessive Severity)
Mitigations
The vulnerability impacts FortiWeb variations 7.0.0 by way of 7.0.10, 7.2.0 by way of 7.2.10, 7.4.0 by way of 7.4.7, and seven.6.0 by way of 7.6.3, whereas FortiWeb 8.0 stays unaffected.
Organizations should improve to patched variations: 7.0.11+, 7.2.11+, 7.4.8+, or 7.6.4+, respectively.
The exploit requires particular circumstances, together with information of personal machine data and an lively goal consumer session throughout exploitation.
Exploit chain
Assault complexity includes brute-forcing an unknown validation quantity by way of the refresh_total_logins() perform, sometimes requiring fewer than 30 makes an attempt with O(N) computational price.
Safety researcher Aviv Y, who found this vulnerability below accountable disclosure, developed a whole exploit chain using the /ws/cli/open endpoint for CLI entry.
Fortinet has already launched a patch for the vulnerability; customers are advisable to replace their techniques with the patches launched yesterday.
Increase your SOC and assist your workforce defend your small business with free top-notch risk intelligence: Request TI Lookup Premium Trial.
