A security researcher has released a partial proof of concept exploit for a vulnerability in the FortiWeb web application firewall that allows a remote attackerto bypass authentication.
The flaw was reported responsibly to Fortinet and is now tracked as CVE-2025-52970. Fortinetreleased a fixon August 12.
Security researcher Aviv Y named the vulnerability FortMajeure and describes it as a “silent failure that wasn’t meant to happen.” Technically, it is an out-of-bounds read in FortiWeb’s cookie parsing that lets an attacker set the Era parameter to an unexpected value.
This causes the server to use an all-zero secret key for session encryption and HMAC signing, making forged authentication cookies trivial to create.
Exploitation results in a full authentication bypass, letting the attacker impersonate any active user, including an administrator.
To exploit CVE-2025-52970 successfully, the target user must have an active session during the attack, and the adversary must brute-force a small numeric field in the cookie.
The brute-forcing requirement comes from a field in the signed cookie that is validated by the function refresh_total_logins() (in libncfg.so).
This field is an unknown number that the attacker must guess, but the researcher notes that the range is usually not above 30, makingg it a tiny search space of roughly 30 requests.
Because the exploit uses the all-zero key (due to the Era bug), each guess can be tested instantly by checking if the forged cookie is accepted.
The issue impacts FortiWeb 7.0 to 7.6, and was fixed in the below versions:
- FortiWeb 7.6.4 and later
- FortiWeb 7.4.8 and later
- FortiWeb 7.2.11 and later
- FortiWeb 7.0.11 and later
Fortinet says in the bulletinthat FortiWeb 8.0 releases aren’t impacted by this issue, so there’s no action that needs to be taken there.
The security bulletin lists no workarounds or mitigation advice, so upgrading to a safe version is the only recommended effective action.
Fortinet’s CVSS severity score of 7.7 can be deceptive, as it derives from “high attack complexity” due to the brute-forcing requirement. In practice though, the brute-forcing part is simple and quick to perform.
The researcher shared aPoC output, showing admin impersonation on a REST endpoint. However, he withheld the complete exploit that also covers connecting to the FortiWeb CLI via /ws/cli/open.
