A Fortinet FortiWeb path traversal vulnerability is being actively exploited to create new administrative users on exposed devices without requiring authentication.

The issue is fixed in FortiWeb 8.0.2, and admins are urged to update as soon as possible and check for signs of unauthorized access

The exploitation was first spotted by threat intelligence company Defused on October 6, which reported an “Unknown Fortinet exploit” used against exposed devices to create admin accounts.

Since then, attacks have increased, with threat actors now spraying the exploit globally.

According to new research published by Daniel Card of PwnDefend and Defused, the flaw is a path traversal issue affecting the following Fortinet endpoint:

/api/v2.0/cmdb/system/admin%3f/../../../../../cgi-bin/fwbcgi

Threat actors are sending HTTP POST requests to this path containing payloads that create local admin-level accounts on the targeted device.

The exploitation observed by researchers includes multiple sets of created username and password combinations, with usernames including Testpoint, trader1, and trader. Passwords seen assigned to accounts include 3eMIXX43, AFT3$tH4ck, and AFT3$tH4ckmet0d4yaga!n.

The attacks originated from a wide range of IP addresses, including:

• 107.152.41.19
• 144.31.1.63
• Addresses in the 185.192.70.0/24 range
• 64.95.13.8 (from original October report)

Security researchers at watchTowr Labs have confirmed the exploit, posting a video on X that demonstrates a failed FortiWeb login attempt, the execution of the exploit, and the successful login as the newly created admin user.

watchTowr also released a tool called “FortiWeb Authentication Bypass Artifact Generator,” which attempts to exploit the flaw by creating an admin user with an 8-character random username derived from a UUID.

The tool was released to help defenders identify vulnerable devices.

According to Rapid7, which tested the exploit across multiple versions, the flaw affects FortiWeb versions 8.0.1 and earlier. The flaw was fixed in version 8.0.2, which is believed to have been released at the end of October.

However, BleepingComputer has been unable to find any disclosure of a FortiWeb vulnerability on Fortinet’s PSIRT site that matches the one being exploited.

BleepingComputer contacted Fortinet with questions about this reported exploitation and will update our story when we receive a response.

As the vulnerability appears to be actively exploited in the wild, administrators should review their devices for unusual administrative accounts, check logs for requests to the fwbcgi path, and investigate any activity from the identified suspicious IP addresses.

Administrators should also ensure these management interfaces are not reachable from the internet and are restricted to trusted networks or VPN-only access.