FortiWeb - Authentication Bypass (CVE-2025-52970)

CVE-2025-52970 is a vulnerability in Fortinet FortiWeb that stems from improper parameter handling, potentially allowing unauthenticated remote attackers with certain non-public information to escalate privileges and gain administrative access. Exploiting this flaw could enable attackers to take full control of affected FortiWeb devices, leading to significant risks such as data compromise, configuration tampering, or service disruption.

CrowdSec has been tracking this vulnerability and its exploits since 3rd of September 2025.

CrowdSec network data shows that most actors exploiting CVE-2025-52970 rely on broad, untargeted scans with minimal filtering. The activity is largely automated and opportunistic in nature. In addition, according to the CrowdSec network, attack volume against CVE-2025-52970 has dipped slightly compared to the previous week. Although still commonly targeted, the decline suggests a cooling-off period. Long-term relevance remains, but attention is waning.

Attackers exploit the /api/fabric/device/status endpoint by injecting SQL commands via the Authorization header, which can lead to authentication bypass and remote code execution. Subsequent exploitation stages may involve writing a webshell to /cgi-bin/x.cgi and triggering it with crafted requests.