FortiWeb vulnerability actively exploited to create admin accounts

FortiWeb vulnerability actively exploited to create admin accounts

Briefly

"A vulnerability in Fortinet FortiWeb is being actively exploited worldwide to create new administrator accounts without authentication on devices that are directly accessible from the internet. This involves a path traversal that makes it possible to call an internal CGI script via the management path. Researchers have observed attackers scanning large numbers of devices and bombarding them with automated requests, immediately affecting any system with an open management interface."

"The way the exploit is executed is relatively simple. Attackers send a POST request to the endpoint "/api/v2.0/cmdb/system/admin%3f/../../../../../cgi-bin/fwbcgi". The path traversal causes the device to execute the underlying CGI function, after which the payload creates a new local administrator account. Researchers have seen multiple usernames created in this way. Examples include Testpoint, trader, and trader1. Passwords such as 3eMIXX43 and AFT3$tH4ck also appeared in the logs of affected systems."

"According to BleepingComputer, the bug has now been fixed in FortiWeb 8.0.2, a version that was released at the end of October. However, Fortinet has not published any information explaining exactly what has been repaired. There is no CVE, no PSIRT advisory, and no explanation of the nature or severity of the vulnerability. As a result, there is a good chance that organizations realized too late that the update contained a security patch and that they used vulnerable systems for weeks or even months."