A Fortinet FortiWeb path traversal vulnerability is being actively exploited to create new administrative users on exposed devices without requiring authentication.
The issue is fixed in FortiWeb 8.0.2, and admins are urged to update as soon as possible and check for signs of unauthorized access
The exploitation was first spotted by threat intelligence company Defused on October 6, which reported an "Unknown Fortinet exploit" used against exposed devices to create admin accounts.
Since then, attacks have increased, with threat actors now spraying the exploit globally.
According to new research published by Daniel Card of PwnDefend and Defused, the flaw is a path traversal issue affecting the following Fortinet endpoint:
/api/v2.0/cmdb/system/admin%3f/../../../../../cgi-bin/fwbcgi
Threat actors are sending HTTP POST requests to this path containing payloads that create local admin-level accounts on the targeted device.
The exploitation observed by researchers includes multiple sets of created username and password combinations, with usernames including Testpoint, trader1, and trader. Passwords seen assigned to accounts include 3eMIXX43, AFT3$tH4ck, and AFT3$tH4ckmet0d4yaga!n.
The attacks originated from a wide range of IP addresses, including:
107.152.41.19
... continue reading