IT security researchers have uncovered exploit code targeting a previously unknown vulnerability in Fortinet web application firewalls. This vulnerability is similar to one patched by Fortinet in 2022. The discovery was made through a honeypot environment, revealing malware affecting FortiWeb firewalls, which initially went undetected by VirusTotal. The vulnerability appears to involve Path Traversal, allowing attackers to bypass authentication on the admin interface and perform administrative actions.
To protect users, specific details of the payload remain undisclosed. However, the attack involves sending malware via an HTTP POST request to a specific endpoint, embedding commands to create a user account. Indicators of compromise, such as originating IP addresses and attempted username-password combinations, have been identified.
IT forensic experts demonstrated the exploit’s functionality, confirming its ability to create an admin account on a FortiWeb firewall. Fortinet has not yet issued a statement, with the latest security update dated November 3rd. As a precaution, administrators are advised to restrict firewall access to trusted IP addresses, especially if the admin interface is network-accessible.
