A vulnerability in Fortinet FortiWeb is being actively exploited worldwide to create new administrator accounts without authentication on devices that are directly accessible from the internet.
This involves a path traversal that makes it possible to call an internal CGI script via the management path. Researchers have observed attackers scanning large numbers of devices and bombarding them with automated requests, immediately affecting any system with an open management interface.
According to BleepingComputer, the bug has now been fixed in FortiWeb 8.0.2, a version that was released at the end of October. However, Fortinet has not published any information explaining exactly what has been repaired. There is no CVE, no PSIRT advisory, and no explanation of the nature or severity of the vulnerability. As a result, there is a good chance that organizations realized too late that the update contained a security patch and that they used vulnerable systems for weeks or even months.
The way the exploit is executed is relatively simple. Attackers send a POST request to the endpoint “/api/v2.0/cmdb/system/admin%3f/../../../../../cgi-bin/fwbcgi”.
The path traversal causes the device to execute the underlying CGI function, after which the payload creates a new local administrator account. Researchers have seen multiple usernames created in this way. Examples include Testpoint, trader, and trader1.
Passwords such as 3eMIXX43 and AFT3$tH4ck also appeared in the logs of affected systems. The attacks originate from a variety of networks. BleepingComputer mentions, among others, the address 107.152.41.19, a host in the 185.192.70.0/24 range, and a previously reported address, 64.95.13.8.
Global scan and spray campaigns visible
The abuse is being observed on an increasingly large scale. Security companies see that these are not targeted attacks on specific organizations, but a global spray campaign. It attempts to target every publicly accessible FortiWeb system. This is particularly relevant for data centers, managed service providers, and other multi-tenant environments. This is because a compromised FortiWeb can potentially affect multiple customers at the same time.
FortiWeb’s role as a web application firewall also means that the impact is greater than a single device: those who have access to the management platform often also have insight into or influence over underlying applications.
BleepingComputer reports that Fortinet has not yet responded to questions about the vulnerability and that no official documentation describing the bug is available. Until Fortinet provides clarity, organizations will have to rely on their own checks.
It is advisable to immediately update to version 8.0.2 or higher, review existing log files for suspicious POST requests to the aforementioned path, and check whether any unexpected management accounts have been created. It is also advisable to verify that the FortiWeb management interface is not publicly accessible without good reason.