CVE-2025-52970

Name of the Vulnerable Software and Affected Versions Fortinet FortiWeb versions 7.0 through 7.6 Fortinet FortiWeb versions 7.6.3 and below Fortinet FortiWeb versions 7.4.7 and below Fortinet FortiWeb versions 7.2.10 and below Fortinet FortiWeb versions 7.0.10 and below

Description An improper handling of parameters in Fortinet FortiWeb allows an unauthenticated remote attacker with non-public information pertaining to the device and targeted user to gain administrative privileges. The issue stems from an out-of-bounds read during cookie parsing, enabling attackers to forge authentication cookies and bypass authentication. Exploitation involves manipulating the 'Era' cookie parameter to force the server to use a predictable secret key for session encryption and HMAC signing. Successful exploitation allows an attacker to impersonate any user, including administrators, via the /api/v2.0/system/status.systemstatus endpoint and potentially gain access to the command-line interface via /ws/cli/open. Active exploitation of this issue has been observed, with attackers originating from multiple IP addresses. There are reports of widespread attacks exploiting this vulnerability.

Recommendations Update to FortiWeb version 7.6.4 or later. Update to FortiWeb version 7.4.8 or later. Update to FortiWeb version 7.2.11 or later. Update to FortiWeb version 7.0.11 or later.