A newly disclosed authentication bypass vulnerability in FortiWeb could allow remote attackers to log in as any existing user on affected systems without authentication.
The flaw, tracked as CVE-2025-52970 with a CVSS score of 7.7, arises from improper parameter handling in FortiWeb’s cookie parsing mechanism.
The vulnerability exploits an out-of-bounds read in the cookie-handling code, specifically tied to CWE-233: Improper Handling of Parameters.
FortiWeb session cookies consist of three components:
* Era – a session type identifier
* Payload – encrypted session data (username, role)
* AuthHash – an HMAC SHA1 signature
During parsing, the “Era” parameter is used to select encryption keys from a shared memory array. However, values between 2 and 9 can force the system to read uninitialized memory, often resulting in null or zero-filled encryption keys.
This effectively reduces cryptographic protection to zero, allowing attackers to impersonate users, including administrators. Security researcher Aviv Y demonstrated this through a proof-of-concept targeting the /api/v2.0/system/status.systemstatus endpoint, successfully logging in with crafted cookie requests.
The vulnerability impacts:
* FortiWeb 7.0.0 – 7.0.10
* FortiWeb 7.2.0 – 7.2.10
* FortiWeb 7.4.0 – 7.4.7
* FortiWeb 7.6.0 – 7.6.3
FortiWeb 8.0 is not affected.
Fortinet has released patched versions:
* 7.0.11+
* 7.2.11+
* 7.4.8+
* 7.6.4+
To exploit the flaw, attackers must:
* Have knowledge of certain non-public device information
* Target an active user session
Despite these requirements, the vulnerability poses a serious threat to organizations relying on vulnerable FortiWeb appliances for web application security.
