At a glance: A critical, actively exploited path traversal flaw in Fortinet FortiWeb allows unauthenticated attackers to create admin accounts and gain full control. A public POC is circulating, with widespread scanning confirmed. Upgrading to FortiWeb 8.0.2 or later blocks the exploit. Field Effect MDR users are automatically alerted if vulnerable versions are detected and should review related AROs for verification and remediation steps.
On November 8, 2025, a public proof-of-concept (POC) was released for a previously undocumented path traversal vulnerability in Fortinet FortiWeb, and it is now being actively exploited.
By November 13, 2025, multiple researchers and media outlets reported that exploitation activity had escalated into widespread scanning campaigns targeting FortiWeb instances globally.
The earliest signs of exploitation were observed on October 6, 2025, when researchers detected suspicious traffic in their honeypot environments. On November 3, 2025, dark web chatter surfaced advertising an alleged zero-day remote code execution exploit targeting FortiWeb.
The exploit bypasses authentication and invokes internal scripts to create new administrative accounts, granting full access to the FortiWeb management interface and WebSocket command-line interface.
Multiple researchers have confirmed the vulnerability and documented exploitation patterns, indicating broad and active targeting.
Several sources have verified that FortiWeb version 8.0.2, released at the end of October 2025, blocks the exploit path with a 403 Forbidden response. According to testing by CERT Orange Cyberdefense, systems running the following FortiWeb versions are vulnerable:
They reported that the issue does not affect FortiWeb versions 8.0.2, 7.6.5, 7.4.10, and 7.2.12.
As of November 14, Fortinet has not published an advisory or assigned a CVE identifier for this vulnerability, as confirmed by the absence of a matching disclosure on the Fortinet Product Security Incident Response Team (PSIRT) site.This is a critical-risk vulnerability with confirmed real-world exploitation, a publicly available proof-of-concept, and broad exposure, which warrants immediate patching. The exploit requires no user interaction and is technically simple to execute. Compromise of Fortinet devices can expose sensitive data and disrupt business operations.
Organizations using FortiWeb are advised to upgrade to version 8.0.2 or later, which has been shown to block the exploit. Field Effect MDR users will be alerted via ARO if vulnerable systems are detected in their environment.
In the absence of official guidance, restricting public access to FortiWeb management interfaces and limiting exposure to internal networks or VPN-only access is recommended.
Administrators are encouraged to audit privileged accounts for unauthorized additions, review logs for access to the vulnerable endpoint, and monitor for indicators of compromise such as suspicious usernames and IP addresses. The worst-case scenario includes full device compromise, lateral movement, and disruption of web application protections.