Fortinet FortiWeb authentication bypass: Exploit release pending

On August 14, 2025, a security researcher demonstrated technical details and announced plans to publicly release a proof-of-concept (POC) exploit for a flaw in Fortinet’s FortiWeb. 

The vulnerability, dubbed “FortMajeure”, is tracked as CVE-2025-52970 (Fortinet identifier: FG-IR-25-448). It may allow an unauthenticated remote user, with non-public information pertaining to the device and targeted user, to gain admin privileges on the device via a malicious request. 

It affects Fortinet FortiWeb versions: 

• 7.6.3 and below

• 7.4.7 and below 

• 7.2.10 and below 

• 7.0.10 and below 

Fortinet released fixed versions: 7.0.11, 7.2.11, 7.4.8, and 7.6.4 on August 12, 2025, assigning it a CVSS 3.1 base score of 7.7 (high) out of 10.

The 7.7 scoring is due to the need for an active session and a guessed value, and thus Fortinet assesses an attack scenario as “high complexity”.

However, researchers warn this score understates the real exploitation risks. Since these requirements can easily be achieved with a brute-force attack; once a user session is present, the attack would be low effort for an adversary. 

Stay on top of emerging threats like this.

Sign up to receive a weekly roundup of our security intelligence feed. You'll be the first to know of emerging attack vectors, threats, and vulnerabilities. 

Sign up

Analyst insight

FortiWeb’s role as a perimeter defense appliance makes this vulnerability particularly concerning. A web application firewall is meant to protect critical applications from attacks. If it's compromised, it can undermine the entire security model.

Field Effect has been observing threat actors quickly exploiting newly revealed flaws in security appliances (VPNs, firewalls, WAFs) because they often yield high rewards. With a public exploit release expected for CVE-2025-52970, organizations should assume that threat actors are already developing scanning tools and readying attacks to launch the moment the exploit drops.

Immediate patching is the most effective mitigation for this exploit. Fortinet’s advisory outlines the fixed versions, and organizations should prioritize upgrading any client systems running vulnerable FortiWeb versions.

If patching cannot be done right away, disable the web-based admin interface to reduce exposure. Consider placing it behind a firewall or restricting access to trusted IPs. Use multi-factor authentication for all admin access and avoid default credentials.