A major security flaw has come to light in Fortinet’s FortiWeb. This vulnerability allows attackers to skip authentication checks and register admin accounts without authorization. Discovered by researcher Sina Kheirkhah from WatchTowr Labs, this flaw stems from a combination of two vulnerabilities: a path traversal bug and an authentication bypass leveraging the HTTP request header CGIINFO.
This particular exploitation activity was first identified in early September, causing concern over the security of systems using FortiWeb. The vulnerability allows hackers to manipulate the system to gain privileged access, posing a serious risk to organizations relying on Fortinet’s web application firewall.
Technical Details of the Vulnerability
An attacker only needs to know the path to the “fwbcgi” executable in the HTTP request. Attackers exploit it by sending a payload through an HTTP POST request to the endpoint located at “/api/v2.0/cmdb/system/admin%3F/../../../../../cgi-bin/fwbcgi.” Using this approach, they are able to generate administrative-level accounts without appropriate validation.
Kheirkhah explained the mechanics of the exploit, stating, “That means an attacker can perform any privileged action simply by supplying the appropriate JSON structure.” Threat actors now have the capability to impersonate any user using client-supplied data to perform this action. The fields added to the original HTTP request tell the “fwbcgi” which user the sender wants to act on behalf of.
WatchTowr Labs were able to reproduce the vulnerability and develop a working proof-of-concept (PoC) to showcase its potential for exploitation. Our PoC describes a technique an attacker could use to extract a CGIINFO header. They can then decode its Base64-encoded value, parse it as JSON, and iterate over its keys to perform unauthorized actions.
Impact on Organizations and Responses
The weaponization of this vulnerability not only affects our customers who use FortiWeb, but all organizations. Diligent threat actors are already working to automate the generation of valid admin usernames and passwords. A few of them are “Testpoint / AFodIUU3Sszp5” and “trader1 / 3eMIXX43.” These activities go well beyond putting individual accounts at risk—they’re a fundamental threat to the security of the entire network.
In light of these developments, Benjamin Harris from PwnDefend emphasized, “Patched in [version 8.0.2], the vulnerability allows attackers to perform actions as a privileged user—with in-the-wild exploitation focusing on adding a new administrator account as a basic persistence mechanism for the attackers.” This underscores the critical need for users to implement required patches as soon as possible.
Caitlin Condon raised concerns about the practice of silently patching vulnerabilities, stating, “Silently patching vulnerabilities is an established bad practice that enables attackers and harms defenders.” Organizations are now left to ascertain all indications of past compromise while contacting Fortinet for additional explanation.
Best Practices Moving Forward
Specialists recommend keeping HTTP and HTTPS management interfaces available only to internal networks. This measure is key to mitigating risks, but remember that it doesn’t remove risk in full. In their announcement, the Cybersecurity and Infrastructure Security Agency (CISA) once again stressed that improving systems in use is still crucial to fully remediating this vulnerability.
Fortinet has since taken responsibility for the issue and is currently in direct communication with impacted customers. A spokesperson stated, “We are aware of this vulnerability and activated our PSIRT response and remediation efforts as soon as we learned of this matter, and those efforts remain ongoing.” They took extra strides to assure customers of their security measures and transparency whenever tackling customer issues.
As enterprises recoil from this suddenly blemished vulnerability, they will need to be ever pragmatic in protecting their networks against the risk of exploitation. Harris noted, “While we wait for a comment from Fortinet, users and enterprises are now facing a familiar process: look for trivial signs of prior compromise, reach out to Fortinet for more information, and apply patches if you haven’t already.”