FortiWeb Path Traversal Flaw: How Attackers Are Creating Admin Accounts and What Defenders Must Do
A single misstep in input validation has opened the door for attackers to seize control of Fortinet FortiWeb devices, turning a routine web management interface into a launchpad for privilege escalation. The critical path traversal vulnerability, now widely exploited thanks to a public proof of concept (PoC), allows threat actors to create admin accounts with just a few crafted HTTP requests. Security researchers have demonstrated how attackers bypass authentication, create new admin users, and gain full control—sometimes within minutes of discovering an exposed device. The rapid spread of exploitation, fueled by community-shared PoCs and real-world attack anecdotes, underscores the urgency for organizations to patch and lock down their systems (BleepingComputer).
Inside the Exploit: How the FortiWeb Path Traversal Vulnerability Lets Attackers Become Admins
Understanding the Path Traversal Vulnerability
The FortiWeb path traversal vulnerability, identified as a critical security flaw, allows unauthorized users to gain administrative access to Fortinet devices. This vulnerability is primarily due to improper validation of user-supplied input in the web management interface, specifically the endpoint /api/v2.0/cmdb/system/admin%3f/../../../../../cgi-bin/fwbcgi. Attackers exploit this flaw by sending specially crafted HTTP POST requests to the vulnerable path, enabling them to traverse directories and execute unauthorized commands. (BleepingComputer)
Exploit Mechanism and Attack Vectors
The exploitation process involves threat actors crafting payloads that manipulate the directory traversal vulnerability to create new administrative accounts on the targeted FortiWeb devices. This manipulation is achieved by appending specific payloads to the vulnerable endpoint, which bypasses authentication checks. The payloads often include commands to create admin-level accounts with pre-defined usernames and passwords, such as Testpoint, trader1, and trader, with passwords like 3eMIXX43 and AFT3$tH4ck. These accounts grant attackers full control over the device, allowing them to alter configurations or exfiltrate sensitive data. (BleepingComputer)
Public Proof of Concept (PoC) and Its Implications
The public availability of a Proof of Concept (PoC) for this vulnerability has significantly increased its exploitation rate. Security researchers at watchTowr Labs demonstrated the vulnerability by posting a video on X showing a failed login attempt, followed by successful exploitation and login as a newly created admin user. The PoC has been widely circulated, enabling even less sophisticated attackers to exploit the vulnerability effectively. This widespread dissemination underscores the importance of promptly patching vulnerable systems. (BleepingComputer)
Mitigation and Defensive Strategies
To mitigate the risks associated with this vulnerability, administrators should immediately update to FortiWeb version 8.0.2, where the flaw has been addressed. Additionally, it is crucial to restrict access to management interfaces, ensuring they are not exposed to the internet and are only accessible through trusted networks or VPNs. Regularly reviewing logs for unusual administrative account creation and monitoring for requests to the vulnerable path can help identify potential exploitation attempts. Implementing these defensive measures can significantly reduce the risk of unauthorized access. (BleepingComputer)
The Role of Threat Intelligence and Community Response
The discovery and reporting of this vulnerability by threat intelligence companies like Defused and researchers such as Daniel Card of PwnDefend have been instrumental in raising awareness and prompting defensive actions. The collaborative efforts of the cybersecurity community, including the release of tools like the “FortiWeb Authentication Bypass Artifact Generator” by watchTowr, have provided defenders with resources to identify and remediate vulnerable devices. This collective response highlights the importance of information sharing and community engagement in addressing emerging cybersecurity threats. (BleepingComputer)
Final Thoughts
The FortiWeb path traversal flaw is a stark reminder that even a single overlooked input validation can have sweeping consequences. With attackers actively creating admin accounts and public PoCs lowering the barrier to entry, organizations must act decisively—patching systems, restricting access, and monitoring for suspicious activity. The collaborative response from the cybersecurity community, including rapid tool development and information sharing, has been vital in helping defenders stay one step ahead. As attack surfaces expand with the rise of IoT and AI-driven infrastructure, vigilance and community engagement remain our best defense against the next wave of exploits (BleepingComputer).
References
- BleepingComputer. (2024). FortiWeb flaw with public PoC actively exploited to create admin users. https://www.bleepingcomputer.com/news/security/fortiweb-flaw-with-public-poc-actively-exploited-to-create-admin-users/
