A critical security vulnerability in Fortinet’s FortiWeb web application firewall has been discovered that allows unauthenticated attackers to bypass authentication and impersonate any existing user on affected devices.
The flaw, tracked as CVE-2025-52970 and dubbed “Fort-Majeure” by its discoverer, stems from improper parameter handling in the application’s cookie parsing mechanism.
Vulnerability Details and Impact
The vulnerability exploits an out-of-bounds read access issue in FortiWeb’s cookie handling code, enabling attackers to force the server to use a predictable, all-zero secret key for session encryption and signing.
Security researcher Aviv Y (@0x_shaq), who discovered and responsibly disclosed the flaw, explained that the authentication bypass occurs through manipulation of the “Era” parameter in session cookies.
| Field | Value |
| CVE ID | CVE-2025-52970 |
| Published Date | August 12, 2025 |
| IR Number | FG-IR-25-448 |
| Severity | High |
| CVSS v3.1 Score | 7.7 |
| CVSS Vector | AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:X/RC:C |
| CWE Classification | CWE-233: Improper Handling of Parameters |
“This bug represents the kind of silent failure that wasn’t meant to happen — where a system built to protect ends up trusting nothing as everything,” the researcher noted.
The vulnerability allows attackers with non-public information about both the target device and specific users to craft malicious requests that bypass authentication entirely.
The session cookie mechanism in FortiWeb consists of three components: an Era value, an encrypted payload containing session information, and an authentication hash.
By manipulating the Era parameter to values between 2 and 9, attackers can trigger the out-of-bounds read that forces the system to use compromised encryption keys.
Affected Versions and Severity Assessment
Fortinet has assigned a CVSS v3.1 score of 7.7 (High severity) to this vulnerability. Multiple FortiWeb versions across different release branches are affected:
| FortiWeb Version | Affected Releases | Recommended Action |
| FortiWeb 8.0 | Not affected | Not applicable |
| FortiWeb 7.6 | 7.6.0 through 7.6.3 | Upgrade to 7.6.4 or above |
| FortiWeb 7.4 | 7.4.0 through 7.4.7 | Upgrade to 7.4.8 or above |
| FortiWeb 7.2 | 7.2.0 through 7.2.10 | Upgrade to 7.2.11 or above |
| FortiWeb 7.0 | 7.0.0 through 7.0.10 | Upgrade to 7.0.11 or above |
The researcher demonstrated successful exploitation through REST API endpoints and CLI connections, showing how attackers can impersonate administrative users.
However, the attack has several limitations that reduce its practical impact. Exploitation requires brute-forcing an unknown validation number and necessitates that target users maintain active sessions during the attack window.
The mathematical probability of successful key prediction increases dramatically due to the vulnerability, as the system defaults to using all-zero encryption keys instead of properly randomized values.
Fortinet published the security advisory on August 12, 2025, and has released patches for all affected versions.
Organizations running vulnerable FortiWeb installations should prioritize immediate updates to the latest available versions.
The company acknowledged Aviv Y’s responsible disclosure and has implemented fixes across all supported product lines.
This vulnerability represents a significant security concern for organizations relying on FortiWeb for web application protection, emphasizing the critical importance of maintaining current security patches for network infrastructure components.
AWS Security Services:10-Point Executive Checklist - Download for Free