A security researcher has released a partial evidence of exploitation for vulnerability in Fortiweb web application firewall that allows a remote attacker to bypass certification.
The defect was responsible responsibly for Fortinet and has now been tracked as CVE-2025-52970. Fortinet released a fix on 12 August.
Safety researcher Aviv Y The vulnerability was named Fortmajeure and did not mean “a silent failure which was not meant.” Technically, it is taught an out-of-bounds in Fortiweb’s cookie parsing that allows an attacker to set the era parameter at an unexpected value.
This server causes the server to use an all-zero secret key for the session encryption and HMAC signature, which makes the forged certification cookies trivial to make.
As a result of exploitation, a complete authentication bypass is a bypass, allowing any active user to give a copy of the user including a administrator.
To successfully exploit CVE-2025-52970, the target user must have an active session during the attack, and the opponent should emphasize a small numeric area in the cookie.
The requirement of brut-found in the signed cookie comes from a field which is valid by the function refresh_total_logins () (in Libncfg.so).
This area is an unknown number that the attacker should guess, but the researcher notes that the range is usually not above 30, making it a small search space of about 30 requests.
Because exploitation uses all-zero keys (due to the bug of the era), each estimate can be tested immediately by checking for a fake cookie.
This issue affects Fortiweb 7.0 to 7.6, and was decided in versions below:
- Fortiweb 7.6.4 and later
- Fortiweb 7.4.8 and later
- Fortiweb 7.2.11 and later
- Fortiweb 7.0.11 and later
Foretnet Say in bulletin Fortiweb 8.0 releases are not affected by this issue, so there is no action that needs to be taken there.
The safety bulletin lists any work -round or mitigation advice, so upgrading to a safe version is the only recommended effective action.
Fortinet’s CVSS 7.7’s severity score may be misleading, as it emerges from the “complexity of high attack” due to the cruel-flowering requirement. In practice, however, the cruel-forming part is simple and quick to perform.
Researcher Shared a POC outputA rest is showing the admin at the closing point showing the admin. However, he withdrew complete exploitation, which is also included to connect Fortiweb CLI via/WS/CLI/Open.
Source: Aviv Y
However, Aviv Y promised to publish complete exploitation details later, as the seller’s advisory has been released only recently. The researcher did this disintegration to allow system administrators to give more time to apply fix.
The published details display the origin of the issue, but the experts are also not enough for the attackers that they estimate the rest and develop a full armed chain, the researcher told BlappingCopper.
He explained that the attackers would have to reverse the format of the field in the session, which is impractical that Fortinet has its own data structures.
Despite this, immediate action should be taken to reduce the issue as hackers follow these announcements closely and are ready to pull the trigger when the full POC is out.
Aviv Y told Blapping Copper that he has not decided the date to publish exploitation, but plans to give time to the guards to respond to the risk.
The passwords broke in 46% of the atmosphere, almost doubled by 25% last year.
Picus Blue Report 2025 Now get a wider look at more conclusions on prevention, detection and data exfIs.
