CVE-2025-52970
published 2025-08-12CVE-2025-52970: A improper handling of parameters in Fortinet FortiWeb versions 7.6.3 and below, versions 7.4.7 and below, versions 7.2.10 and below, and 7.0.10 and below may…
PriorityP188high8.1CVSS 3.1
AVNACHPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
10.67%
95.2th percentile
A improper handling of parameters in Fortinet FortiWeb versions 7.6.3 and below, versions 7.4.7 and below, versions 7.2.10 and below, and 7.0.10 and below may allow an unauthenticated remote attacker with non-public information pertaining to the device and targeted user to gain admin privileges on the device via a specially crafted request.
Affected
12 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| fortinet | fortinet | — | — |
| fortinet | fortiweb | — | — |
| fortinet | fortiweb | >= 7.0.0 < 7.0.11 | 7.0.11 |
| fortinet | fortiweb | 7.0.0 – 7.0.10 | — |
| fortinet | fortiweb | >= 7.2.0 < 7.2.11 | 7.2.11 |
| fortinet | fortiweb | 7.2.0 – 7.2.10 | — |
| fortinet | fortiweb | >= 7.4.0 < 7.4.8 | 7.4.8 |
| fortinet | fortiweb | 7.4.0 – 7.4.7 | — |
| fortinet | fortiweb | >= 7.6.0 < 7.6.4 | 7.6.4 |
| fortinet | fortiweb | 7.6.0 – 7.6.3 | — |
| msrc | azl3_mariadb_10.11.11-1_on_azure_linux_3.0 | — | — |
| msrc | cbl2_mariadb_10.6.21-1_on_cbl_mariner_2.0 | — | — |
Detection & IOCsextracted from sources · hover to see the quote
cookieAPSCOOKIE_FWEB_
cookieEra=<2-9>&Payload=<b64>&AuthHash=<b64>
url/api/fabric/device/status
url/cgi-bin/ml-draw.py
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Fortinet FortiWeb Out of Bounds Access via HTTP Cookie (CVE-2025-52970)"; flow:established,to_server; http.uri; content:"/api/"; startswith; http.cookie; content:"APSCOOKIE_FWEB_"; fast_pattern; content:"Era|3d|"; pcre:"/^[2-9](?:$|\x26)/R"; content:"Payload|3d|"; content:"AuthHash|3d|"; reference:url,pwner.gg/blog/2025-08-13-fortiweb-cve-2025-52970; reference:cve,2025-52970; classtype:web-application-attack; sid:2064933; rev:1; metadata:affected_product FortiWeb, attack_target Server, tls_state TLSDecrypt, created_at 2025_09_25, cve CVE_2025_52970, deployment Perimeter, deployment Internal, deployment SSLDecrypt, confidence High, signature_severity Major, tag Exploit, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2025_09_25, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)
- →Flag any HTTP request to /api/* endpoints where the cookie contains APSCOOKIE_FWEB_ with an Era value of 2–9; this indicates exploitation of the out-of-bounds read that causes the server to use an all-zero 3DES key.
- →The forged cookie structure is Era=<N>&Payload=<base64-ciphertext>&AuthHash=<base64-HMAC>. Legitimate cookies always use Era=0; Era values 2–9 are the exploit trigger. ↗
- →The attacker brute-forces a small numeric field (range typically ≤30) in the forged cookie by replaying ~30 requests; detect rapid repeated requests to authenticated endpoints with varying cookie Payload values but the same Era value ≥2. ↗
- →The brute-forced field is validated by refresh_total_logins() in libncfg.so; endpoint access with repeated forged cookies targeting /api/ paths is a strong indicator of active exploitation. ↗
- →Monitor for access to /ws/cli/open — this WebSocket endpoint is targeted by the full exploit chain to gain CLI access after authentication bypass. ↗
- →Shodan/FOFA exposure queries can identify internet-facing FortiWeb instances that are potential targets: http.title:"FortiWeb" or app="Fortinet-FortiWeb".
- →The patch blocks Era >= 2; if you can inspect patched vs. unpatched behavior, any acceptance of Era=2 cookies is a definitive indicator of a vulnerable device. ↗
- ·Exploitation requires the target user to have an active session at the time of the attack; the attacker must also know the username to impersonate. ↗
- ·The security bulletin lists no workarounds or mitigations; upgrading to a fixed version is the only recommended action. ↗
- ·The IV used in the forged cookie does not need to match the server's IV when the attacker rearranges the plaintext fields (exp/user/role order swap), because the protected handler only checks for the presence of 'user=' and 'role=' substrings. ↗
CVSS provenance
nvdv3.18.1HIGHCVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck8.1HIGH
vendor_msrc4.9MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-jc24-hjq6-4g6f: A improper handling of parameters in Fortinet FortiWeb versions 7
ghsa_unreviewed·2025-08-12
CVE-2025-52970 [HIGH] CWE-233 GHSA-jc24-hjq6-4g6f: A improper handling of parameters in Fortinet FortiWeb versions 7
A improper handling of parameters in Fortinet FortiWeb versions 7.6.3 and below, versions 7.4.7 and below, versions 7.2.10 and below, and 7.0.10 and below may allow an unauthenticated remote attacker with non-public information pertaining to the device and targeted user to gain admin privileges on the device via a specially crafted request.
VulnCheck
Fortinet FortiWeb Improper Handling of Parameters
vulncheck·2025·CVSS 8.1
CVE-2025-52970 [HIGH] Fortinet FortiWeb Improper Handling of Parameters
Fortinet FortiWeb Improper Handling of Parameters
A improper handling of parameters in Fortinet FortiWeb versions 7.6.3 and below, versions 7.4.7 and below, versions 7.2.10 and below, and 7.0.10 and below may allow an unauthenticated remote attacker with non-public information pertaining to the device and targeted user to gain admin privileges on the device via a specially crafted request.
Affected: Fortinet FortiWeb
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://app.crowdsec.net/cti/cve-explorer/CVE-2025-52970; https://hs-8813571.f.hubspotemail.net/hubfs/8813571/PERISCOPE_VULNINTEL_20251007.pdf
Exploit PoC: https://vulncheck.com/xdb/6d2494a0026
Fortinet
A improper handling of parameters in Fortinet FortiWeb versions 7.6.3 and below, versions 7.4.7 and below, versions 7.2...
vendor_fortinet·2025-08-12·CVSS 8.1
CVE-2025-52970 [HIGH] CWE-233 A improper handling of parameters in Fortinet FortiWeb versions 7.6.3 and below, versions 7.4.7 and below, versions 7.2...
FG-IR-25-448: A improper handling of parameters in Fortinet FortiWeb versions 7.6.3 and below, versions 7.4.7 and below, versions 7.2...
A improper handling of parameters in Fortinet FortiWeb versions 7.6.3 and below, versions 7.4.7 and below, versions 7.2.10 and below, and 7.0.10 and below may allow an unauthenticated remote attacker with non-public information pertaining to the device and targeted user to gain admin privileges on the device via a specially crafted request.
CVEs: CVE-2025-52970
CWEs: CWE-233
CVSS: 8.1 (high)
Affected products: FortiWeb, Fortinet
Microsoft
MariaDB Server 10.4 through 10.5.*, 10.6 through 10.6.*, 10.7 through 10.11.*, 11.0 through 11.0.*, and 11.1 through 11.4.* crashes in Item_direct_view_ref::derived_field_transformer_for_where.
vendor_msrc·2025-03-11·CVSS 4.9
CVE-2023-52970 [MEDIUM] CWE-1038 MariaDB Server 10.4 through 10.5.*, 10.6 through 10.6.*, 10.7 through 10.11.*, 11.0 through 11.0.*, and 11.1 through 11.4.* crashes in Item_direct_view_ref::derived_field_transformer_for_where.
MariaDB Server 10.4 through 10.5.*, 10.6 through 10.6.*, 10.7 through 10.11.*, 11.0 through 11.0.*, and 11.1 through 11.4.* crashes in Item_direct_view_ref::derived_field_transformer_for_where.
FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability?
One of the main benefits to our customers who choose to use the Azure Linux distro is the commitment to keep it up to date with the most recent and most secure versions of the open source libraries with which the distro is composed. Microsoft is committed to transparency in this work which is why we began publishing CSAF/VEX in October 2025. See this blog post for more information. If impact to additional products is identified, we will update the CVE to
Suricata
ET WEB_SPECIFIC_APPS Fortinet FortiWeb Out of Bounds Access via HTTP Cookie (CVE-2025-52970)
suricata·2025-09-25·CVSS 8.1
CVE-2025-52970 [HIGH] ET WEB_SPECIFIC_APPS Fortinet FortiWeb Out of Bounds Access via HTTP Cookie (CVE-2025-52970)
ET WEB_SPECIFIC_APPS Fortinet FortiWeb Out of Bounds Access via HTTP Cookie (CVE-2025-52970)
Rule: alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Fortinet FortiWeb Out of Bounds Access via HTTP Cookie (CVE-2025-52970)"; flow:established,to_server; http.uri; content:"/api/"; startswith; http.cookie; content:"APSCOOKIE_FWEB_"; fast_pattern; content:"Era|3d|"; pcre:"/^[2-9](?:$|\x26)/R"; content:"Payload|3d|"; content:"AuthHash|3d|"; reference:url,pwner.gg/blog/2025-08-13-fortiweb-cve-2025-52970; reference:cve,2025-52970; classtype:web-application-attack; sid:2064933; rev:1; metadata:affected_product FortiWeb, attack_target Server, tls_state TLSDecrypt, created_at 2025_09_25, cve CVE_2025_52970, deployment Perimeter, deployment Internal, deployment SSLDecrypt, confidence High
Nuclei
Fortinet FortiWeb - Authentication Bypass to Admin Privilege
nuclei·CVSS 8.1
CVE-2025-52970 [HIGH] Fortinet FortiWeb - Authentication Bypass to Admin Privilege
Fortinet FortiWeb - Authentication Bypass to Admin Privilege
A improper handling of parameters in Fortinet FortiWeb versions 7.6.3 and below, versions 7.4.7 and below, versions 7.2.10 and below, and 7.0.10 and below may allow an unauthenticated remote attacker with non-public information pertaining to the device and targeted user to gain admin privileges on the device via a specially crafted request.
Template:
id: CVE-2025-52970
info:
name: Fortinet FortiWeb - Authentication Bypass to Admin Privilege
author: Sourabh-Sahu
severity: high
description: |
A improper handling of parameters in Fortinet FortiWeb versions 7.6.3 and below, versions 7.4.7 and below, versions 7.2.10 and below, and 7.0.10 and below may allow an unauthenticated remote attacker with non-public information pertaining
Bleepingcomputer
Researcher to release exploit for full auth bypass on FortiWeb
blogs_bleepingcomputer·2025-08-16·CVSS 8.1
CVE-2025-52970 [HIGH] Researcher to release exploit for full auth bypass on FortiWeb
## Researcher to release exploit for full auth bypass on FortiWeb
## Bill Toulas
A security researcher has released a partial proof of concept exploit for a vulnerability in the FortiWeb web application firewall that allows a remote attacker to bypass authentication.
The flaw was reported responsibly to Fortinet and is now tracked as CVE-2025-52970. Fortinet released a fix on August 12.
Security researcher Aviv Y named the vulnerability FortMajeure and describes it as a "silent failure that wasn’t meant to happen." Technically, it is an out-of-bounds read in FortiWeb’s cookie parsing that lets an attacker set the Era parameter to an unexpected value.
This causes the server to use an all-zero secret key for session encryption and HMAC signing, making forged authentication cookies trivi
Greynoiseio
NoiseLetter September 2025
blogs_greynoiseio
NoiseLetter September 2025
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
CTF
coldboots / README
ctf_writeups·2025·CVSS 8.1
CVE-2025-52970 [HIGH] coldboots / README
# Fiftiweb: FortiWeb CVE-2025-52970 auth bypass
```
Team: coldboots (https://ctftime.org/team/144114/)
Author: @ciphr
Date: 11.11.2025
```
# TL;DR
- era=2..9 use zero-initialized memory as 3DES key aka `key = b"\x00"*24`
- We craft our own cookie with `role=admin` to get flag from /protected
- Challenge is based on a vulnerability in Fortiweb (CVE-2025-52970 auth bypass): https://nvd.nist.gov/vuln/detail/CVE-2025-52970
Well done and a round of applause for EPT and nordbo for creating a CTF challenge from a CVE, always welcome and related to the daily work for some of us. It also shows that alot of the stuff we do in CTF's can be and are related to real-world usage. Both in how we work (methods, tools etc) when solving challenges, but also how vulnerabilities "are made", and how we explo
2025-08-12
Published
Exploited in the wild