Close Menu

Exploited Fortinet Flaw: Admin Accounts at Risk!

Staff WriterBy No Comments3 Mins Read10 Views

Quick Takeaways

  1. Authentication Bypass Vulnerability: Cybersecurity experts have identified an authentication bypass vulnerability in Fortinet’s FortiWeb WAF, enabling attackers to take over admin accounts and compromise devices.

  2. Indiscriminate Exploitation Observed: Active exploitation of this vulnerability, which was silently patched in version 8.0.2, has been reported, focusing on creating new admin accounts for persistent access.

  3. Technical Mechanics: The vulnerability arises from a combination of a path traversal bug and an authentication bypass, allowing attackers to impersonate any user by exploiting specific HTTP request attributes.

  4. Urgent Action Required: Organizations using versions pre-8.0.2 must take immediate action, as existing exploits are actively being sold on black markets, indicating a high risk of compromise.

Active Exploitation of Fortinet FortiWeb Vulnerability

Cybersecurity experts have raised alarms about a serious authentication bypass flaw within Fortinet’s FortiWeb application firewall. This vulnerability allows attackers to create unauthorized admin accounts, enabling full device takeovers. Reports indicate that active exploitation occurred recently, as threat actors utilized the flaw to add new administrator accounts for persistent access. Research teams successfully created a proof-of-concept to demonstrate the vulnerability. They also developed a tool to help identify affected devices, emphasizing the urgency for organizations to act.

The vulnerability results from a combination of two flaws: a path traversal error and an authentication bypass. Attackers exploit the flaw by sending malicious payloads through the HTTP POST request to a specific endpoint. Consequently, this allows them to impersonate any user, including the built-in admin account. As noted by researchers, this process leverages the CGIINFO header from incoming requests to perform actions without proper authorization. Such exploitation enables the creation of new local users with elevated privileges.

Response and Recommended Precautions

Fortinet has not yet issued a CVE identifier, leaving organizations vulnerable. Rapid7 has urged those using versions of FortiWeb prior to 8.0.2 to take immediate action to patch their systems. The threat landscape remains unclear, as details about the attackers and their methods continue to surface. Meanwhile, members of the cybersecurity community advise organizations to monitor for signs of prior compromise when the vulnerability was still unpatched.

As the industry grapples with these revelations, many enterprises find themselves in familiar territory: scrambling to understand the implications of the vulnerability while implementing necessary mitigations. The urgency for proactive security measures cannot be underestimated. Organizations must stay vigilant and ensure timely updates to protect against potential exploitation, thereby safeguarding their digital infrastructure.

Continue Your Tech Journey

Stay informed on the revolutionary breakthroughs in Quantum Computing research.

Explore past and present digital transformations on the Internet Archive.

DataProtection-V1

Share.
Avatar photo

John Marcelli is a staff writer for the CISO Brief, with a passion for exploring and writing about the ever-evolving world of technology. From emerging trends to in-depth reviews of the latest gadgets, John stays at the forefront of innovation, delivering engaging content that informs and inspires readers. When he's not writing, he enjoys experimenting with new tech tools and diving into the digital landscape.

Comments are closed.