cbcvebase.
CVE-2025-52970
published 2025-08-12

CVE-2025-52970: A improper handling of parameters in Fortinet FortiWeb versions 7.6.3 and below, versions 7.4.7 and below, versions 7.2.10 and below, and 7.0.10 and below may…

PriorityP188high8.1CVSS 3.1
AVNACHPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
10.67%
95.2th percentile
A improper handling of parameters in Fortinet FortiWeb versions 7.6.3 and below, versions 7.4.7 and below, versions 7.2.10 and below, and 7.0.10 and below may allow an unauthenticated remote attacker with non-public information pertaining to the device and targeted user to gain admin privileges on the device via a specially crafted request.

Affected

12 ranges
VendorProductVersion rangeFixed in
fortinetfortinet
fortinetfortiweb
fortinetfortiweb>= 7.0.0 < 7.0.117.0.11
fortinetfortiweb7.0.0 – 7.0.10
fortinetfortiweb>= 7.2.0 < 7.2.117.2.11
fortinetfortiweb7.2.0 – 7.2.10
fortinetfortiweb>= 7.4.0 < 7.4.87.4.8
fortinetfortiweb7.4.0 – 7.4.7
fortinetfortiweb>= 7.6.0 < 7.6.47.6.4
fortinetfortiweb7.6.0 – 7.6.3
msrcazl3_mariadb_10.11.11-1_on_azure_linux_3.0
msrccbl2_mariadb_10.6.21-1_on_cbl_mariner_2.0

Detection & IOCsextracted from sources · hover to see the quote

cookieAPSCOOKIE_FWEB_
cookieEra=<2-9>&Payload=<b64>&AuthHash=<b64>
url/api/fabric/device/status
url/ws/cli/open
url/cgi-bin/ml-draw.py
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Fortinet FortiWeb Out of Bounds Access via HTTP Cookie (CVE-2025-52970)"; flow:established,to_server; http.uri; content:"/api/"; startswith; http.cookie; content:"APSCOOKIE_FWEB_"; fast_pattern; content:"Era|3d|"; pcre:"/^[2-9](?:$|\x26)/R"; content:"Payload|3d|"; content:"AuthHash|3d|"; reference:url,pwner.gg/blog/2025-08-13-fortiweb-cve-2025-52970; reference:cve,2025-52970; classtype:web-application-attack; sid:2064933; rev:1; metadata:affected_product FortiWeb, attack_target Server, tls_state TLSDecrypt, created_at 2025_09_25, cve CVE_2025_52970, deployment Perimeter, deployment Internal, deployment SSLDecrypt, confidence High, signature_severity Major, tag Exploit, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2025_09_25, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)
  • Flag any HTTP request to /api/* endpoints where the cookie contains APSCOOKIE_FWEB_ with an Era value of 2–9; this indicates exploitation of the out-of-bounds read that causes the server to use an all-zero 3DES key.
  • The forged cookie structure is Era=<N>&Payload=<base64-ciphertext>&AuthHash=<base64-HMAC>. Legitimate cookies always use Era=0; Era values 2–9 are the exploit trigger.
  • The attacker brute-forces a small numeric field (range typically ≤30) in the forged cookie by replaying ~30 requests; detect rapid repeated requests to authenticated endpoints with varying cookie Payload values but the same Era value ≥2.
  • The brute-forced field is validated by refresh_total_logins() in libncfg.so; endpoint access with repeated forged cookies targeting /api/ paths is a strong indicator of active exploitation.
  • Monitor for access to /ws/cli/open — this WebSocket endpoint is targeted by the full exploit chain to gain CLI access after authentication bypass.
  • Shodan/FOFA exposure queries can identify internet-facing FortiWeb instances that are potential targets: http.title:"FortiWeb" or app="Fortinet-FortiWeb".
  • The patch blocks Era >= 2; if you can inspect patched vs. unpatched behavior, any acceptance of Era=2 cookies is a definitive indicator of a vulnerable device.
  • ·Exploitation requires the target user to have an active session at the time of the attack; the attacker must also know the username to impersonate.
  • ·The security bulletin lists no workarounds or mitigations; upgrading to a fixed version is the only recommended action.
  • ·The IV used in the forged cookie does not need to match the server's IV when the attacker rearranges the plaintext fields (exp/user/role order swap), because the protected handler only checks for the presence of 'user=' and 'role=' substrings.

CVSS provenance

nvdv3.18.1HIGHCVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck8.1HIGH
vendor_msrc4.9MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.