Overview
- Attackers send HTTP POST requests to the /api/v2.0/cmdb/system/admin%3f/../../../../../cgi-bin/fwbcgi endpoint to bypass authentication and create local administrators on exposed devices.
- Rapid7 testing indicates FortiWeb versions 8.0.1 and earlier are vulnerable, with version 8.0.2 reported to remediate the flaw.
- watchTowr reproduced the issue, published a demonstration, and released an artifact generator to help defenders identify susceptible appliances.
- Observed compromises included new accounts such as Testpoint, trader1 and trader with passwords like 3eMIXX43 and AFT3$tH4ck.
- Administrators are urged to apply 8.0.2, review logs for fwbcgi access, search for unauthorized admin users, investigate listed suspicious IPs, and restrict management interfaces to trusted access.