FortiWeb - Authentication Bypass (CVE-2025-52970)

CVE-2025-52970 is a vulnerability in Fortinet FortiWeb that stems from improper parameter handling, potentially allowing unauthenticated remote attackers with certain non-public information to escalate privileges and gain administrative access. Exploiting this flaw could enable attackers to take full control of affected FortiWeb devices, leading to significant risks such as data compromise, configuration tampering, or service disruption.

CrowdSec has been tracking this vulnerability and its exploits since 3rd of September 2025.

CrowdSec network data shows that most actors exploiting CVE-2025-52970 rely on broad, untargeted scans with minimal filtering. The activity is largely automated and opportunistic in nature. CrowdSec data also reveals a clear uptick in attacks involving CVE-2025-52970 over the past week. Activity is above the usual baseline, suggesting growing attention from attackers. This may reflect rising awareness, recent exploit releases, or expanded targeting efforts.

Attackers exploit the /api/fabric/device/status endpoint by injecting SQL commands via the Authorization header, which can lead to authentication bypass and remote code execution. Subsequent exploitation stages may involve writing a webshell to /cgi-bin/x.cgi and triggering it with crafted requests.