A security researcher has released a partial proof of concept exploit for a vulnerability in the FortiWeb web application firewall that allows a remote attacker to bypass authentication.
The flaw was reported responsibly to Fortinet and is now tracked as CVE-2025-52970. Fortinet released a fix on August 12.
Security researcher Aviv Y named the vulnerability FortMajeure and describes it as a "silent failure that wasn’t meant to happen." Technically, it is an out-of-bounds read in FortiWeb’s cookie parsing that lets an attacker set the Era parameter to an unexpected value.
This causes the server to use an all-zero secret key for session encryption and HMAC signing, making forged authentication cookies trivial to create.
Exploitation results in a full authentication bypass, letting the attacker impersonate any active user, including an administrator.
To exploit CVE-2025-52970 successfully, the target user must have an active session during the attack, and the adversary must brute-force a small numeric field in the cookie.
The brute-forcing requirement comes from a field in the signed cookie that is validated by the function refresh_total_logins() (in libncfg.so).
This field is an unknown number that the attacker must guess, but the researcher notes that the range is usually not above 30, makingg it a tiny search space of roughly 30 requests.
Because the exploit uses the all-zero key (due to the Era bug), each guess can be tested instantly by checking if the forged cookie is accepted.
The issue impacts FortiWeb 7.0 to 7.6, and was fixed in the below versions:
... continue reading